Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Air Force Network Admins Found Out About Drone Virus Through News Story

Soulskill posted about 3 years ago | from the right-wing-doesn't-know-what-left-wing-is-doing dept.

The Military 161

Nemesisghost writes "Wired's Danger Room reports that the network admins of the 24th Air Force found out about the virus infecting the drone cockpits at Creech Air Force Base in Nevada by reading the earlier news article. Quoting: 'Not only were officials in charge kept out of the loop about an infection in America’s weapon and surveillance system of choice, but the surprise surrounding that infection highlights a flaw in the way the U.S. military secures its information infrastructure: There’s no one in the Defense Department with his hand on the network switch. In fact, there is no one switch to speak of. The four branches of the U.S. armed forces each has a dedicated unit that, in theory, is supposed to handle cyber defense for the entire service. ... In practice, it’s not that simple. Unlike most big private enterprises, the 24th doesn’t have a centralized system for managing and monitoring its networks. There’s no place at the 24th’s San Antonio headquarters where someone could see all the digital traffic hurtling through the service’s pipes.'"

cancel ×

161 comments

Sorry! There are no comments related to the filter you selected.

YAY (5, Insightful)

bobstreo (1320787) | about 3 years ago | (#37685312)

Compartmentalization AND Security through obscurity.

You can't make this stuff up.

Re:YAY (0)

Anonymous Coward | about 3 years ago | (#37685340)

Yeah but now they've been ousted and are therefore retarded.

Re:YAY (2)

catmistake (814204) | about 3 years ago | (#37685652)

Ha! You guys are so gullible! Don't you see? Its feints within feints! The 24th is a honeytrap! While the cyber enemies scramble to infiltrate the vulnerable 24th Air Force's non-existant NOC, our 1337 cyber-commandos are... you guessed it, in their base killing their doods. Brilliant! That's why they refer to the U.S.A.F. as "the Thinkers." Feints within feints!! w00t!

Re:YAY (0)

Runaway1956 (1322357) | about 3 years ago | (#37686216)

Funny. I've never heard of the USAF being referred to as "the Thinkers". Sorry, but I have little use for the Air Force. Anything they can do, the Army and the Navy can do. The Air Force can make no such counterclaim. I have higher regard for the Royal Air Force. Those boys get down and dirty with their sister services. The Royal Air Force even has it's own infantry, capable of securing and defending a base in a forward operating area. http://www.raf.mod.uk/rafregiment/ [raf.mod.uk] The USAF relies on the departments of the Army and the Navy to do that for them. Phhht. Thinkers. Even if that were true, while they are busy thinking, Army, Navy, and Marine pilots are out there waging war.

Get back to me when the Air Force actually deploys a fleet of attack craft, capable of getting down in the mud, the blood, and the gore, where they can actually support the troops who will win (or lose) the war.

Re:YAY (0)

Anonymous Coward | about 3 years ago | (#37686530)

http://en.wikipedia.org/wiki/820th_Base_Defense_Group [wikipedia.org]

"The 820th Base Defense Group is a force protection unit of the United States Air Force currently based at Moody Air Force Base, Georgia. The group was activated in 1997 as an exceptionally trained force protection unit of 12 Air Force Specialty Codes with an airborne capability. At a moment's notice, the group provides the expeditionary Air Force's only worldwide deployable, "first-in", fully integrated, multidisciplined, highly qualified, self-sustaining force protection capability."

Re:YAY (0)

Anonymous Coward | about 3 years ago | (#37686708)

Funny. I've never heard of the USAF being referred to as "the Thinkers". Sorry, but I have little use for the Air Force. Anything they can do, the Army and the Navy can do. The Air Force can make no such counterclaim. I have higher regard for the Royal Air Force. Those boys get down and dirty with their sister services. The Royal Air Force even has it's own infantry, capable of securing and defending a base in a forward operating area. http://www.raf.mod.uk/rafregiment/ [raf.mod.uk] The USAF relies on the departments of the Army and the Navy to do that for them. Phhht. Thinkers. Even if that were true, while they are busy thinking, Army, Navy, and Marine pilots are out there waging war.

Get back to me when the Air Force actually deploys a fleet of attack craft, capable of getting down in the mud, the blood, and the gore, where they can actually support the troops who will win (or lose) the war.

When I was in Iraq, the Air Force SPs were securing the perimeter of the base I was on (with the help of Contractors), and some of them were knocking on doors in the local town looking for bad guys. So I'd say that at least some can get down in the sand at least.

As for attack craft (I assume you mean ground attack aircraft); have you ever heard of the A-10?

Re:YAY (-1)

Anonymous Coward | about 3 years ago | (#37686974)

Dickwad: How are you able to reach the keyboard with your head wedged in that position???

Re:YAY (0)

Anonymous Coward | about 3 years ago | (#37687074)

Funny. I've never heard of the USAF being referred to as "the Thinkers". Sorry, but I have little use for the Air Force. Anything they can do, the Army and the Navy can do. The Air Force can make no such counterclaim. I have higher regard for the Royal Air Force. Those boys get down and dirty with their sister services. The Royal Air Force even has it's own infantry, capable of securing and defending a base in a forward operating area. http://www.raf.mod.uk/rafregiment/ [raf.mod.uk] The USAF relies on the departments of the Army and the Navy to do that for them. Phhht. Thinkers. Even if that were true, while they are busy thinking, Army, Navy, and Marine pilots are out there waging war.

Get back to me when the Air Force actually deploys a fleet of attack craft, capable of getting down in the mud, the blood, and the gore, where they can actually support the troops who will win (or lose) the war.

As a former USAF Security Specialist, I'd have to respectfully disagree with you.

https://secure.wikimedia.org/wikipedia/en/wiki/United_States_Air_Force_Security_Forces

Re:YAY (3, Interesting)

EdIII (1114411) | about 3 years ago | (#37686222)

You know... you might be saying that being funny.

However, I think you truly have a point. At least I really hope so. What is claimed in this article makes Air Force cyber security look so weak and pathetic that whoever they have tasked to do it could not qualify for a job with the Geek Squad.

If our security really is that weak.... why the hell are we worried about terrorists taking over civilian aircraft still when they could remotely take over a bunch of armed drones and attack military and civilian targets with our own advanced weaponry?

Re:YAY (3, Funny)

catmistake (814204) | about 3 years ago | (#37686376)

If our security really is that weak.... why the hell are we worried about terrorists taking over civilian aircraft still when they could remotely take over a bunch of armed drones and attack military and civilian targets with our own advanced weaponry?

I think it may be more difficult to get the good PS3 controllers in the desert, and even when they do, the sand just wreaks havok on them.

Re:YAY (1)

L4t3r4lu5 (1216702) | about 3 years ago | (#37687674)

"They" wrote software to make refining centrifuges crap out. "They" can probably make a crude interface to make a drone head back to base and drop it's ordnance onto the toilet block.

You're surprised? (2)

msobkow (48369) | about 3 years ago | (#37687246)

I am.

The fact that they don't have a means of broadcasting alerts to the technicians is a sign of an absolutely scary level of incometence.

Are the launch codes for the nuclear arsenal as well protected and monitored as the drones? If so, the entire world should be terrified of American incompetence.

Re:YAY (1)

Anonymous Coward | about 3 years ago | (#37687558)

Security theatre isn't about security.

Re:YAY (3, Insightful)

Ihmhi (1206036) | about 3 years ago | (#37686658)

It is kinda insane. The Army, Navy, Marines, and (of course) Air Force all have flying vehicles. I think if it flies, it should be handled by the Air Force, period. If you need special forces stuff like SOAR [wikipedia.org] , then they should be an air forces special division. Similarly, the Navy ought to handle the boats (save for the Coast Guard, which is separate for a good reason), the Army should handle infantry, etc.

I really don't get why there's all these branches of the military with overlapping roles - branches who don't talk to one another. That's how stuff like this happens. You really need one organization to handle something like networking but you end up with 4 or 5. Bureaucracy at its finest!

What? (3, Insightful)

gottabeme (590848) | about 3 years ago | (#37687308)

What you've just suggested is the same error clueless bureaucrats make about technology, except in reverse; the other side of the same coin.

PHBs who have no idea how computers or networks work say to organize or administrate them in a way that makes sense for organizing tangible items with physical problems, but utterly fails when applied to computers.

You have suggested organizing the branches of the military according to the way a computer network should be organized. Worse, you've suggested this not only regarding the branches' computer networks, but also regarding military operations.

Not only do you ignore the inter-service cooperation that already exists, but you ignore the pointless extra division that your idea would entail, like having AF pilots flying aircraft off carriers or flying Blackhawks full of Army troops. In both cases, the AF pilots would be working exclusively with members of the other branch, so what would the point be of having them under a different CoC? They'd end up assigned to TDY under another branch...in which case they might as well be in that branch in the first place. It really doesn't help unit cohesion to have artificial divisions between, e.g. the chopper pilots and the troops they carry around and support.

Are you even aware that the Marines are under the Department of the Navy? Sheesh.

Re:YAY (1)

ArtemaOne (1300025) | about 3 years ago | (#37687326)

Because the people at the top in the various organizations will not give up anything. It would be a weakness to say that someone else could do it better.

Re:YAY (0)

dvdwholesale3 (2432850) | about 3 years ago | (#37686698)

wholesale8dvd [slashdot.org] is an extremely intense program.Sheer will and determination may get you to the finish line,but to achieve the best results,youâ(TM)ve got to have the proper quality and quantity of nutrition.We make these supplements optional,so you have a choice.But know that P90x supplements were designed for this program and will supply your body with the necessary nutrients to give you added strength energy,and stamina for each workout. As you may notice from the math on the following pages, wholesale8dvd [slashdot.org] is not bulit around adaily âoecalorie deficitâ for weight loss like the general Beachbody plans found in Power 90,Kathy Smitsâ(TM)s Project :You!Type 2,and Slimin 6.Itâ(TM)s important that you understand why ,so you have the right training mentality with this program ,with the right expectations. http : //www.wholesale8dvd.com

Obligatory (0)

Anonymous Coward | about 3 years ago | (#37685324)

Military intelligence.

Funny? Insightful? Informative? Troll. All four.

Re:Obligatory (2)

einhverfr (238914) | about 3 years ago | (#37685674)

There are some things that are just embarrassing though. This is one of them. The F22's avionics systems crashing due to crossing the international date line is another. It raises serious questions about how much we trust our armed forces to properly handle security.

I used to think that the stuxnet virus had a few oversights that were well beyond the incompetence level of the US government (the P2P update feature with hard-coded password being one) but this sort of thing suggests that in fact, when it comes to technology, the US government has no competition in the field of incompetence.

Gee I wonder why you have viruses (1)

Osgeld (1900440) | about 3 years ago | (#37685346)

do they even bother to check ... apparently not

Re:Gee I wonder why you have viruses (0)

Anonymous Coward | about 3 years ago | (#37685676)

They were too busy reading the news.

WTF?! (0)

Anonymous Coward | about 3 years ago | (#37685362)

UNACCEPTABLE

Budget cuts (-1, Troll)

magamiako1 (1026318) | about 3 years ago | (#37685382)

When you have armies of people who don't want to pay taxes this is what you get. Networking training is not cheap, understanding it is not cheap. Finding people with enough knowledge combined to work across these systems is difficult and comes with a price.

Re:Budget cuts (0)

Anonymous Coward | about 3 years ago | (#37685496)

Sadly, the budget for "useless military nonsense" is the one budget that remains UNCUT. We could spend $1B/yr on this and balance the budget just by tossing things like "armed, throwable, assassin-bots" and "super-sonic multinational delta-wing fighter/bomber/ponies".

Re:Budget cuts (2)

TubeSteak (669689) | about 3 years ago | (#37685518)

This has nothing to do with taxes.
The military finds funding when it needs it.

This is mostly a failure of leadership.
Unless something comes from the top down, their networks will remain a group of islands.
It took a 9/11 for us to reform our intelligence sharing and it'll probably take the internet equivalent before the military to puts their house in order.

Re:Budget cuts (1)

Anonymous Coward | about 3 years ago | (#37685572)

I've worked at 1 Army installation in my short life, but from my experience, people move up in the ranks by tenure -- not skill or experience. Even in IT.

Re:Budget cuts (1)

TheReaperD (937405) | about 3 years ago | (#37685584)

DNS? Department of Network Security?

I'm not sure I want to see the end result of a large government bureaucracy trying to manage multiple secure networks.

Re:Budget cuts (1)

peragrin (659227) | about 3 years ago | (#37685962)

um you already are seeing the end of the results of a large government bureaucracy trying to handle multiple insecure networks.

The problem is no one does good security. It has to be installed ground up and thought out ahead of time, with the needs of the users, limitations of technology, need of oversight, and management thought about from an objective point of view.

it is either to tight to allow for actual use by users. the flights systems need thumb drives to transfer GPS data into and images out of those systems. That is bad design.

Steve Jobs said it best. Design isn't just the interface, it isn't just component layout, it is everything.

Re:Budget cuts (1)

jd (1658) | about 3 years ago | (#37685592)

They can find all the funding they like, but if your K-12 schools are teaching that dinosaurs and humans walked paw-in-hand and that computers are the work of a demon-possessed Steve Jobs, then you've got a group of people fundamentally (!) incapable of network management.

80% of all you learn, you learn before you are 12. You HAVE to get the key aspects of science, engineering, mathematics and rigorous thought TOTALLY in people's brains by that time. If you do not, you are too late. Those who haven't learned the key skills by then will never be capable of learning everything needed.

By the time someone is 24, they will have mentally peaked. Their brains will have begun to deteriorate. Learning a highly advanced, technical skill after that point is possible, but it requires enormous effort and it usually involves leveraging a skill that has similarities so that the adjustment in thought processes is kept to a minimum.

Schools and pre-schools, from age 3 onwards, have to aim at producing people of extremely high calibre. They can't keep aiming at producing Walmart shelf stackers in the hope that universities can clean up the mess. Subjects have become too complex, too intertwined, to do that.

In Britain, they're phasing in a program whereby they expect people to become polyglots by age 5, on the basis that this stimulates brain growth, capacity to learn and mental longevity. That's good. That's as it should be. It would be better if science and maths were equally stressed, but I'm happy with one victory for intelligent education at a time.

Re:Budget cuts (1)

ColdWetDog (752185) | about 3 years ago | (#37685870)

They are most certainly not teaching about a 'demon possessed Steve Jobs". If you would bother to read the voluminous eulogies on Mr. Jobs, you would see that he is about to be Sainted.

Fair and Unbalanced!

Re:Budget cuts (1)

demonlapin (527802) | about 3 years ago | (#37686452)

Are you always this insane? I've got a BS in chemistry, GPA 3.7 from 20 years ago, and I went to an absolutely batshit crazy Christian school through sixth grade. (I went there because they had a really excellent primary education in every subject other than the sciences and cost less than half of what the other private schools in the area did, in a city whose public schools suck.) You can totally learn science after the age of 12 (I did). You can totally learn new things after 24 - I certainly did. I hope you did.

What you can't replace is the free time that teenagers and college students who are supported by their parents have. I'm interested in all sorts of subjects that I'll never master because I don't have the time anymore. I can't dedicate five hours a day, six days a week, to hobbies.

Re:Budget cuts (1)

FooAtWFU (699187) | about 3 years ago | (#37685768)

Top-down control is inadequate for problems of this nature. Security needs to be a priority at the top, sure, but you need to be able to give lower-level people the ability to actually accomplish things, and work with their peers to make things happen. Rigid bureaucracies, command structures, and organizational siloization will hold them back. Combining a "horizontal" problem like security with a vertical organization is a recipe for disaster.

For a similar problem, see safety, and specifically how China's top-down control over their high-speed rail network was inadequate in prevent the signaling issues which led to the recent high-profile crash.

Re:Budget cuts (1)

TubeSteak (669689) | about 3 years ago | (#37687254)

Top-down control is inadequate for problems of this nature. Security needs to be a priority at the top, sure, but you need to be able to give lower-level people the ability to actually accomplish things, and work with their peers to make things happen.

I'm not sure you understand what I was talking about or what TFA is discussing.
We're not talking about top down control, we're talking about top down leadership.

The problem is exactly that "lower-level people [have] the ability to actually accomplish things"
The military doesn't have a unified architecture or plan for their network and that is a major weakness.
They need to create a plan to unify the disparate networks and (most importantly) execute that plan.

Things like Manning's theft of Diplomatic cables should never have happened if the military hadn't been doing IT on an ad-hoc basis.

Re:Budget cuts (0)

Anonymous Coward | about 3 years ago | (#37685612)

Are you saying the military's budget isn't large enough?

Re:Budget cuts (1)

Mr. Shotgun (832121) | about 3 years ago | (#37685856)

When you have armies of people who don't want to pay taxes this is what you get. Networking training is not cheap, understanding it is not cheap. Finding people with enough knowledge combined to work across these systems is difficult and comes with a price.

Oh blow it out your ass. The US spends over 698 Billion on it's military, more than 5 time as much as it's closest competitor: China Source. [sipri.org] If they cannot find the training budget for network security then maybe they can hold a fucking bake sale like most school districts have to in order to afford supplies.

Re:Budget cuts (1)

KingAlanI (1270538) | about 3 years ago | (#37685992)

Having that much money doesn't mean they're spending it as effectively as they could - I get the impression than an awful lot gets spent on shiny gadgets which defense contractors overcharge for, not to mention pork for Senator X's state. Sometimes this is stuff that the military doesn't really want or need.

Re:Budget cuts (1)

couchslug (175151) | about 3 years ago | (#37686196)

WRONG fucking answer.

The .mil budgets are enormous, but Air Force customs regarding network management have been fucked up for many years.

"Networking training is not cheap, understanding it is not cheap. Finding people with enough knowledge combined to work across these systems is difficult and comes with a price."

The USAF capably trains people on tasks more demanding than networking, but MilPHBs who don't understand networking combined the computer maintenance folks and the welfare-queen/closet queen (yes, really) Admin paper pushers with predictable results.

It's always been a MilPHB problem, and because the Air Force now is extremely "corporate" people who may be competent at war are taught to emulate corporate fuckups-I-mean-models.

Re:Budget cuts (1)

jeff4747 (256583) | about 3 years ago | (#37686320)

You may have had a point if there had actually been any military budget cuts in the last decade.

Re:Budget cuts (0)

Anonymous Coward | about 3 years ago | (#37686764)

1 TRILLION dollars isn't enough? You must be a civilian GS who wants more money and power or a contractor, or maybe just a clumsy troll.

You realize that the US military is probably the only part of the government that's nearly always fully funded, right?

Re:Budget cuts (2)

garyebickford (222422) | about 3 years ago | (#37686988)

Considering that defense, customs and border control are some of the few items actually set out in the Constitution as important activities of the federal government, that's probably a reasonably good thing. (Not to say that it's being done right now, I'm just sayin'). IIRC, for most of US history Defense was well over 1/2 of the total federal budget. Now it's somewhere close to 20%.

In the 1950s the entire Interstate Highway System was justified on defense grounds - the height of overpasses was set to allow military vehicles and missile carriers to go through.

The plain fact is that without borders and defense, we don't have a nation-state. EVERYTHING else is frosting on the cake. Is it being done right, effectively, etc.? Separate question. Should we be the policeman for the whole world? Nearly every other nation has wanted us in that role since WWII including many so-called counter parties like Russia and China. (Notable exceptions are of the ilk of North Korea, etc.) They often don't like the way we do it, but they distrust every other nation even more - and they certainly don't want the UN to have that kind of power any more than we do.

Re:Budget cuts (1)

JWSmythe (446288) | about 3 years ago | (#37686992)

You realize that the US military is probably the only part of the government that's nearly always fully funded, right?

Umm.. If you were in charge of the country, who would you make sure was first on the funding lists? Picking the group with the best armed people in the world, who were specifically trained to kill, doesn't seem like a bad idea.

Sticking them at the end of the list, where they won't ever see funding, would be a rather poor idea. Well, unless you want an armed revolution with no one to protect you.

[and then the light over AC's head blinks on]

So kids, that's why your schools are shutting down. Because you don't pose an immediate threat to the government. Wait til you turn 18, and they train you to kill. You'll get funding. Well, until you are broken. By then, you aren't as much of a threat, and a good bit of the brainwashing will still stick.

(No offense intended to any service men or women who are reading this. I do intend offense towards our government.)

Re:Budget cuts (1)

iiiears (987462) | about 3 years ago | (#37687224)

Go Sparta!

Were they also surprised ... (1)

damn_registrars (1103043) | about 3 years ago | (#37685396)

... when the news pointed out recently that all the drone video surveillance footage is sent unencrypted? I know I found that a little surprising.

Re:Were they also surprised ... (1)

jd (1658) | about 3 years ago | (#37685610)

Not sure about "recently". This has been reported time and again for years. I recall reading on Slashdot quite some time back on how people in Pakistan were able to watch drone transmissions using cheap television decoders.

Re:Were they also surprised ... (4, Interesting)

jeff4747 (256583) | about 3 years ago | (#37686212)

No, because that is intentional.

If you encrypt it, you have to distribute the decryption keys. That's not a trivial task when you're talking about military situations. You have to deal with unreliable communications, the possibility of a unit being overrun and keys captured, and distributing new keys regularly over a very wide area to units from several countries. Now remember that any of these problems don't merely cause downtime, but get troops killed.

Or you just transmit the video unencrypted.

The assumption was any adversary sophisticated enough to receive the video would also have the minimal radar and signals capabilities to detect the presence of the drones anyway, so the video itself would not be all that helpful.

That assumption doesn't hold with the conflicts we are currently fighting, so they're trying to figure out if it's sufficiently worthwhile to encrypt the data with the problems that would cause.

Re:Were they also surprised ... (0)

Anonymous Coward | about 3 years ago | (#37686596)

You have it wrong. You need to distribute the encryption keys, not the decryption keys. The decryption key stays private. This is not a problem.

Re:Were they also surprised ... (2)

jeff4747 (256583) | about 3 years ago | (#37686724)

No, you're talking about distribution of the keys on the drones. That isn't a problem, since the drones return to a relatively safe base regularly.

What is a problem is you want the soldiers on the ground to be able to see the video, any time, under fire or not, even if their network connection has been down for months, even if they belong to another nation.

It's not easy to enter a new key while someone's dropping mortar rounds all around you, assuming you can even get the correct people on the radio.

Transmit unencrypted video and that problem goes away. Which is why they chose to do so.

Shenanigans (1)

Pooua (265915) | about 3 years ago | (#37685406)

I wonder how much porn and illicit downloading goes through the military networks? In all the other computer networks I've seen, if no one is holding users accountable, the network will be abused.

So, tell me, again, how the virus got on the machines? A "thumb drive," you say? And, the virus keeps returning? Hrmmm...

Who thought this network infrastructure arrangement would be a good idea?

Re:Shenanigans (1)

Anonymous Coward | about 3 years ago | (#37685542)

USB drives are banned on at least US Air Force networks, your user account will get disabled if you even plug one in.

Re:Shenanigans (1)

TheReaperD (937405) | about 3 years ago | (#37685598)

From what I read in another article, they were using portable hard drives to do map updates and download the footage as the systems are not attached to the main network. Now the drives appear to be infected as well as other computers so tracking down all of the sources of the virus and eliminating them requires a lot of sneakernetting.

Re:Shenanigans (-1)

Anonymous Coward | about 3 years ago | (#37685936)

I wonder how much porn...goes through the military networks?

Marine, here. A lot. Like...A-LOT-A-LOT. Think about it, you've got thousands of testosterone-fueled trained killers who technically aren't supposed to visit prostitutes. PORN PORN PORN PORN PORN PORN PORN PORN.

Re:Shenanigans (2)

jeff4747 (256583) | about 3 years ago | (#37686296)

I wonder how much porn and illicit downloading goes through the military networks?

Not much. They use proxies and whitelists. Your average elementary school is less locked down than the military networks.

So, tell me, again, how the virus got on the machines? A "thumb drive," you say?

If you're going to claim incompetence on their part, you could at least RTFA. Portable hard disks used to transfer map updates from network-connected systems to the isolated network where the drones operate.

Airgapped (1)

currently_awake (1248758) | about 3 years ago | (#37685424)

Standard security practice for high reliability systems is they don't get on the internet, and you lock them down so the operators can't install software. So how could a glorified arcade machine get infected? Oh that's because the men running it like to play games (that aren't installed) so they bring them in on usb sticks and badger the admins to unlock the machines so they can install them. Or the network admins are incompetent.

Re:Airgapped (1)

MichaelKristopeit345 (1967646) | about 3 years ago | (#37685950)

or you could read the article and see that the infections came from external hard drives that were used to load new navigation maps on the system.

you're currently_stupid.

Re:Airgapped (0)

Anonymous Coward | about 3 years ago | (#37686640)

Airgapped? Seriously? Did you see the cockpit photo [wired.com] ? There are at least 8 different unique monitors there! They have to integrate weather, targetting, mapping, navigation, flight control, weapons, and probably other systems. It's really hard to airgap systems that need to talk to each other.

Or maybe you just think that somebody should be manually typing the target coordinates into the mapping system and hope they get it right every time.

dom

It keeps happening... (1)

mikael (484) | about 3 years ago | (#37685428)

Just about every possible problem has been discussed on slashdot before.

Trying simple things to lock down military PC's such as sealing up CD-ROM/DVD drives and USB ports is defeated by the motivation of troops wanting to listen to his MP3 collection or view family videos.

Then the security of actual networks isn't done because the admin's are also engaged in regular military duties. They only have enough time to get any system setup before moving to the next assigned work task.

Research groups also have students going in and out as well as working remotely from other sites.

DTi has a report that the level of hacking was so bad that even the group conferences by telephone networks were being accessed remotely.

Re:It keeps happening... (1)

Kittenman (971447) | about 3 years ago | (#37685562)

Trying simple things to lock down military PC's such as sealing up CD-ROM/DVD drives and USB ports is defeated by the motivation of troops wanting to listen to his MP3 collection or view family videos.

Not so. It's thwarted by the officer in charge (civilian or military) not saying "NO!".

And then thwarted by not having an automatic scan of the thumb drive on insertion.

Re:It keeps happening... (0)

Anonymous Coward | about 3 years ago | (#37685984)

I would suspect that security on military networks is thwarted in much the same way security of civilian company networks are thwarted. Boss gets what boss wants. I'm sure most IT guys would know that the worst security offenders are higher up the management food chain. In other words, it's very hard to enforce policy when those who are supposed to be under it pull rank.

If you want security to be locked down, IT specialists and ratings should be moved over to the officer side instead of being an enlisted job. Or at least get a representing officer with a high enough rank to be able to enforce policy as problems are discovered by the enlisted under him. That will nip that kind of bullshit in the bud. As it is right now, it's likely hard to enforce policy when the guard dog has no teeth.

Re:It keeps happening... (2)

Ethanol-fueled (1125189) | about 3 years ago | (#37685608)

Trying simple things to lock down military PC's...defeated by the motivation of troops wanting to listen to his MP3 collection or view family videos.

Ah, so that's what they call porn nowadays. Are those the "family photos" with the annoying captions in them? Perhaps the mighty OSI should be employing real experts to solve the malware problem, instead of just trolling the dorms busting junior enlisteds smoking pot and drinking underage.

Re:It keeps happening... (1)

jd (1658) | about 3 years ago | (#37685712)

It really doesn't help that the military use Windows for this stuff. Windows is not a Trusted OS. (If you read through all the literature on trust across multiple devices connected together, the upshot is that it should not be possible to violate Mandatory Access Controls. You should not be able to write data that is of a higher security setting than the device you are writing to can support. MAC is always inherited, so no program on an untrusted device should ever run at higher privilege than the subset of the untrusted privilege that also lies within your own privileges. And so on.)

Actually, it would be good if there was a commercial/military certification system that focused on the OS (ie: not a simple clone of the Common Criteria) that was quick and easy for OS writers to use and which could provide a suitable level of confidence that security was - if not watertight, then at least not a Titanic.

Re:It keeps happening... (0)

Anonymous Coward | about 3 years ago | (#37685884)

Actually, it would be good if there was a commercial/military certification system that focused on the OS (ie: not a simple clone of the Common Criteria) that was quick and easy for OS writers to use and which could provide a suitable level of confidence that security was - if not watertight, then at least not a Titanic.

And what good would that do when Microsoft steps in and bribes whoever's in charge to ignore/bypass/corrupt the certification system enough to get Windows installed on everything?

Re:It keeps happening... (1)

garyebickford (222422) | about 3 years ago | (#37687006)

Ahh, yes. POSIX - sure, Windows is POSIX-certified ...

Re:It keeps happening... (1)

couchslug (175151) | about 3 years ago | (#37686392)

"Then the security of actual networks isn't done because the admin's are also engaged in regular military duties."

That's because the AF combined career fields and merged the welfare-queen Admin field with the computer folks. Whoever made that decision deserves a blanket party....

Re:It keeps happening... (1)

hedwards (940851) | about 3 years ago | (#37686556)

The computers that troops use for personal use shouldn't have any sensitive information on them and they shouldn't have any access to it either. Granted the troops themselves will have access to information that's sensitive, but that's a different matter than this.

Next time ... (1)

PPH (736903) | about 3 years ago | (#37685434)

... you post "I, for one, welcome our pwned drones!" you never know who might be reading.

Consolidation is Needed (3, Interesting)

hedgemage (934558) | about 3 years ago | (#37685450)

When nuclear weapons were new, each branch of the military tried to become the 'nuclear' arm by introducing new weapons systems and trying to impress politicos with how they should be the ones with the budget and prestige. We don't need multiple branches of cybersecurity forces, we need one branch that can handle it all. Time to dump the military romanticism of the 18th century that divides our military into earth/water/air/fire/heart and reorg. Hell, maybe we even need another side to the Pentagon for cyberwarfare.

Re:Consolidation is Needed (0)

Anonymous Coward | about 3 years ago | (#37685622)

Let's just go whole hog, 17 sides, The Heptadecagon!

But hey, it'll have the same number of bathrooms.

Re:Consolidation is Needed (1)

ColdWetDog (752185) | about 3 years ago | (#37685906)

When nuclear weapons were new, each branch of the military tried to become the 'nuclear' arm by introducing new weapons systems and trying to impress politicos with how they should be the ones with the budget and prestige. We don't need multiple branches of cybersecurity forces, we need one branch that can handle it all. Time to dump the military romanticism of the 18th century that divides our military into earth/water/air/fire/heart and reorg. Hell, maybe we even need another side to the Pentagon for cyberwarfare.

Perhaps not. If you have ONE system that gets compromised and the whole shooting match is compromised. This way, the system is so screwed up that it takes years to figure out who's on first.

Re:Consolidation is Needed (2)

couchslug (175151) | about 3 years ago | (#37686214)

Nonsense. Leadership and giving the right ORDERS works fine.

You can TELL the military to stop using Windows tomorrow and they either do that or it's UCMJ time. The example is extreme but real.

A lot of cybersecurity would be to reduce bullshit computer use. Take away options. Take unclassified systems off the internet or filter them heavily.

Re:Consolidation is Needed (0)

Anonymous Coward | about 3 years ago | (#37686636)

Theres a LOTTTTTTTTTTT of reasons why the military is de-centralized. Ask any historian, military or otherwise, the moment you create a "Supreme General of ALL Armed Forces", the political scales of a nation are completely destroyed.

cyber command (3, Funny)

kaoshin (110328) | about 3 years ago | (#37685470)

Ok, is this what they meant by downgraded provisional cyber command? As in, a room with pictures of maps on big flat screens and no actual command of anything? If this is the best the most elite hackers our military can muster, then I think my wife should try and apply. She knows how to use Excel pretty well.

Re:cyber command (0)

Anonymous Coward | about 3 years ago | (#37685540)

Hackers don't run defence, they run security consultancies, pen testing and giving security advice that business ignore as soon as their audit requirements are fulfilled. Standard defence is run by corporate IT departments, which as we all know are as highly trained and motivated as any Iranian or Chinese state backed hacker, and have escalation privileges all the way up the hierarchy to the coffee machine. As the private sector corp is the highest and most efficient form of human productive organization, it is only right to see the military model their defence posture and infosec priorities on the lead of technically led corporations like Comodo, RSA and McAfee.

Re:cyber command (2)

Stray7Xi (698337) | about 3 years ago | (#37686492)

If this is the best the most elite hackers our military can muster, then I think my wife should try and apply. She knows how to use Excel pretty well.

In fact that is exactly how military works. They hire mostly people with high school education and train them into career fields. Cyber command started just over a year ago. Apparently you think the military should be able to train up people in 1 year for what takes colleges 4 years to do.

I prefer to think of them as CS college sophomores... they're still thinking about switching majors because "math is hard."

Re:cyber command (1)

hedwards (940851) | about 3 years ago | (#37686584)

That approach used to work, prior to the US Army Air Corps., there wasn't much in the way of pilots available so, they had to train them quickly after enlistment. Especially since the pilots that were available didn't come with dog fighting strategies already in hand. Cybersecurity isn't a new field and trying to train people from scratch without having the infrastructure in place is just going to end badly.

I'm not really sure what the solution is, but it strikes me as naive to assume that just because they can't train quickly enough that there isn't a real problem now. Perhaps they ought to be recruiting more heavily from people that have graduated, often times you can get an expert that's only 22.

Oh wow, I am sooo impressed with the volunteer .. (1)

sgt_doom (655561) | about 3 years ago | (#37685528)

..military, they really excelled when they added those bottom two mental categories (Category 5, unbelievably dumb, and Category 6, do not compete with a Pet Rock, sir!). Seriously, though, this is a prime example of what transpires when they've shipped the bulk of tech jobs offshore (as of July, 1999, there has been NO NET NEW job creation in the USA --- thanks Wall Street!!!): they keep erasing it and it just keeps coming back. Hmmm......and they do bisynchronous broadcasting: back and forth between the control element and the drones.....hmmmm....wonder why it just keeps coming back and back......who is next in line to control Skynet, me wonders????

So in other words... (1)

xyourfacekillerx (939258) | about 3 years ago | (#37685634)

We don't and probably won't ever really know the true nature of this virus. Assuming there is a C&C outside the network or a traitor inside, the thing probably was either told to self-destruct, plant a bogus virus and delete its trace - or it was manually deleted. And since no one was actively monitoring the systems, I'm guessing their logs and back-ups are in such a disarray that forensics won't yield much about the original infection.

*sarcasm* way to go, Obama. You can hire the world's best data mining and marketing scientists to crunch social media trend numbers for your campaign, but you can't secure the military which looks to you as their top chief? No, no, I'm not trying to be political... but that is very ironic and shows in general how as a whole our country's investment in computer tech is misplaced.

Anyways, since we can't privatize our intel, obviously we need to invest more money into educating, training or hiring decent (or better) cyber defense and security experts. And monitor our systems with a combination of 24/7 human and algorithmic plus machine learning AI. It needs to be a 110% top priority starting now. A strong policy there will also stimulate growth in the field - education will expand, demand for skilled workers will increase, and the computer industry as a whole will benefit.

start by hiring people based on skills and not BA (1)

Joe_Dragon (2206452) | about 3 years ago | (#37685758)

start by hiring people based on skills and not BA's. It IT hands on work / training / tech school is a lot better then a 4 year CS class load.

Also there needs to be a way to get tech people in with out the boot camp part and or having to deal all the rank crap or the move up or get out idea. Some tech people can do good as a manager other not so much.

Also no stay away from lot's of non tech mangers.

Re:start by hiring people based on skills and not (1)

Zakabog (603757) | about 3 years ago | (#37685864)

... I'm technical and I made it in boot camp (USMC). Every Marine a rifleman. Its not hard and they don't just want IT people. Yes maybe if we get rid of boot camp and increase the pay for certain jobs and stop requiring everyone know how to shoot then the IT staff might be a little better, but I really doubt by much. There are some smart guys in the military things like this are usually a management issue.

well you want IT people to be IT not rifleman or o (1)

Joe_Dragon (2206452) | about 3 years ago | (#37686348)

... I'm technical and I made it in boot camp (USMC). Every Marine a rifleman. Its not hard and they don't just want IT people. Yes maybe if we get rid of boot camp and increase the pay for certain jobs and stop requiring everyone know how to shoot then the IT staff might be a little better, but I really doubt by much. There are some smart guys in the military things like this are usually a management issue.

well you want IT people to be IT not rifleman or other stuff that can let then be pulled from the IT to a non IT rifleman job even more so for a state side job.

Also there are IT people who are to old for boot camp and or are hacker types / people with Asburger / other stuff who can do a IT job but can't be the type of person you want on the front lines as a rifleman or the people who will fail boot camp.

It needs to be out side of the enlisted / officer side of things. Maybe direct commission like with scientists, pharmacists, physicians, nurses, clergy, and attorneys

Re:well you want IT people to be IT not rifleman o (1)

garyebickford (222422) | about 3 years ago | (#37687062)

well you want IT people to be IT not rifleman or other stuff that can let then be pulled from the IT to a non IT rifleman job even more so for a state side job.

IIRC 'every man a rifleman' is characteristic of the Marines, and not the same as other branches. The Marines consider it very important that every member of the team can operate that way. This is related to the particular job that Marines are intended to do, operating as small groups often out of touch with higher levels of command. So everyone on the team has to be able to pick up the slack when they lose someone. (IANA military guy - I've just read a lot.)

It's worth noting that in Desert Storm the Marines had their own network architecture (I think it was based on Banyan, an early proprietary windows-centric ethernet architecture). They brought in several thousand computers and had their entire network up and running in something over a week, from a bare patch of sand with no power. Pretty impressive for 1991. The other services, not so much.

Re:well you want IT people to be IT not rifleman o (0)

Anonymous Coward | about 3 years ago | (#37687230)

Did you mean Assburger?

Um, no one finds this suspicious or irresponsible? (1)

RobinEggs (1453925) | about 3 years ago | (#37685698)

So apparently Wired had the story in the first place, and now they have a second story reporting that the Air Force never knew about the problem until reading about it in their first story? There are two serious problems here.

First, it seems like Wired has motive for some exaggeration or misrepresentation here: "Our investigative reporting is so top notch they don't even know they're being investigated!" Certainly major exposes make it to press without a leak, it happens all the time, but any journalistic entity has ample motive to over-emphasize their cunning and resourcefulness. How about we rely on more than one source for these things, maybe?

Second, and much more importantly, if Wired really did manage the entire investigation completely under the radar, then they went to press with information about severe flaws in a military weapons system before even telling the government about it. That's unforgivably irresponsible. At minimum the Air Force deserved a direct and forceful communication from Wired the very minute the story went public, if not slightly before: these are weapons systems we're talking about, and remote controlled at that. Getting maximum impact for your story and not giving the government time for a cover up is one thing, but national security isn't just some neoconservative buzzword; some things really are secret and sensitive for good reason. You don't just scream "Top Secret files open on this desk over here!", even if there are files there. It's stupid and damaging.

This is no different, in many ways, from finding flaws in Microsoft products or credit card systems: you give the people who need to fix it some kind of heads-up before you go splattering it all over the internet. Yes, if you don't go public no one ever learns and no one is pressured to fix their problems, but going public before you even consider how you're going to communicate with the affected developer is just stupid grandstanding.

Re:Um, no one finds this suspicious or irresponsib (0)

Anonymous Coward | about 3 years ago | (#37685748)

Regarding irresponsibility, it's not that the AF didn't know about the virus. It's that the folks at 24th AF didn't know about what was going on at a unit level at Creech AFB.
Ergo... It's that the right hand knew about the virus but hadn't told the left hand because they had told the right knee and thought it was the knee's job to tell the left hand :)

So Wired wasn't truly irresponsible (though the folks at Creech that revealed a military cyber vulnerability to the general public were very irresponsible)

Re:Um, no one finds this suspicious or irresponsib (1)

biodata (1981610) | about 3 years ago | (#37685792)

Yes but on the other hand if you find flaws in Microsoft or credit card systems the worst that would happen is some fraud and/or inconvenience if the flaws are exploited. The possibility of automated remote controlled murder is a different thing entirely and should perhaps be treated differently. Going public early with maximum sensationalism might increase the likelihood of people realising that remote controlled killing machines are ultimately too dangerous to us all to allow their continued proliferation.

Re:Um, no one finds this suspicious or irresponsib (1)

DrVomact (726065) | about 3 years ago | (#37686186)

So apparently Wired had the story in the first place, and now they have a second story reporting that the Air Force never knew about the problem until reading about it in their first story? There are two serious problems here.

Not if you bothered to read the article. Here is the first paragraph:

Officials at Creech Air Force Base in Nevada knew for two weeks about a virus infecting the drone “cockpits” there. But they kept the information about the infection to themselves — leaving the unit that’s supposed to serve as the Air Force’s cybersecurity specialists in the dark. The network defenders at the 24th Air Force learned of the virus by reading about it in Danger Room.

Some people in the Air Force knew, but they did not notify their own network security organization. If true, then that is irresponsible behavior by Air Force personnel, and something we should thank Wired for reporting.

Having said that, I also have to admit that I'm confused about who knew what, and who was denied information. The original Wired story [wired.com] speaks of efforts to eradicate the malware:

“We keep wiping it off, and it keeps coming back,” says a source familiar with the network infection, one of three that told Danger Room about the virus. “We think it’s benign. But we just don’t know.”

One can only hope that the new bunch of security people who just found out about the malware via the Wired article are more competent than the first ones, who leaked the information to Wired. Was the leak itself irresponsible? I truly can't tell: when incompetence in handling such deadly weapons reaches such empyrean altitudes ...my mind boggles. Clearly, no one connected with this weapons system knows what they are doing, nor do they seem overly concerned.

Perhaps a bit of mental clouding is to be expected among individuals who run a weapon system "allowing U.S. forces to attack targets and spy on its foes without risking American lives"—apparently by killing them [mediaite.com] . Doublethink and duckspeak aren't conducive to organizational efficiency...but that's the price you have to pay to keep the terrorists from winning.

Re:Um, no one finds this suspicious or irresponsib (0)

Anonymous Coward | about 3 years ago | (#37686748)

Have you ever tried to report a cybercrime? It's a difficult and mostly useless process. The local office will take your report, perhaps even thank you for the information, and if it involves real money they may even report it to a central office. Then, in each of the half-dozen cases I've seen personally, there will be _no_ effective followup. The only action I've seen has been when equipment was physically stolen, in bulk, from a multi-national corporation that deals regularly with federal law enforcement agencies.

Wired may well have reported the issue and been entirely ignored. This tendency to passively ignore, and do nothing, about cyber security incidents is precisely why public exposure of the laws has historically been far more effective than quietly reporting flaws and letting the vendor, or law enforcement, act at their own leisure. This is embodied by CERT, where both casual and profund security flaws are reported on a daily basis and profound flaws have remained unaddressed for over a decade at the reques tof the vendor of the flawed products. These flaws are still in effect, and the exploits are still used, so the silence is benefiting only the profits of the vendor and the crackers themselves.

Another 9/11 ... By our own drone? (1)

anubi (640541) | about 3 years ago | (#37685738)

That's a headline we may see if we lose control of those things.

It's all good. Network mgmt outsourced to China. (0)

Anonymous Coward | about 3 years ago | (#37685774)

eom...

and run it like there high speed rail system? (1)

Joe_Dragon (2206452) | about 3 years ago | (#37686360)

it will end up just as bad with more cover ups.

Single switch? (1)

Technomancer (51963) | about 3 years ago | (#37686134)

from TFA: There’s no one in the Defense Department with his hand on the network switch. In fact, there is no one switch to speak

Maybe it's for the better. If there was a central control of whole network it would make it a great target for attack.

The 24th AF is just starting (1)

jeff4747 (256583) | about 3 years ago | (#37686256)

Part of the shuffling around that created Cybercommand also created the 24th Air Force to be the AF's IT shop. They're still standing up and taking over operations from all the separate units.

So it's not completely surprising they wouldn't know about it. They may not have taken over at that base yet.

"Cyber Defense" (0)

Anonymous Coward | about 3 years ago | (#37686282)

If they'd get the buzzword-happy officers out of there, in favor of brass-tacks "Network Security," we might see an improvement. Unlikely to get funded, though.

Utter Bullshite (1)

Anonymous Coward | about 3 years ago | (#37686338)

1) The network goons know they should report it. They dun goofed, they are in BIG trouble.

2) Had this virus been on a network that crosses into the Internet then it WOULD be detected. End of story. Even if it didn't cross into the Internet, it was detected by HBSS - aka anti-virus. Somehow the reporting dun broke down.

3) There will be fallout but most of this is FUD, telling the narrative "OMG teh US Military is not ready for CyberWarz!" Ok, chicken little, settle down... unless you are a airman in the networking section at Creech, everything is fine. There are many, many layers to this tootsie pop and even if it were full of shite it would take a while to get to that center of excrement. These guys blew it and didn't report the problem to anyone other than Wired?

Re:Utter Bullshite (1)

Gyrony (2463308) | about 3 years ago | (#37686758)

I foresee a transfer in someones future...

Excellent! (0)

Anonymous Coward | about 3 years ago | (#37686716)

This mean that the Obama Thing residing ithe White House can not direct the Preditor Drones to Kill USA citizens per recent secret executive order of the President of the United States of America Barak Hussien Obama II.

Wonderful.

Jolly Good.

A real Sucker Punch to Obama Boy!

Obama Boy needs a "Round House" Socker Kick to 'es Nuts I'd say.

Send the bastard to the turf. Then land a boot on 'es neck. Sure to send 'em to the Walter Reed for extended recoups just to survive.

Bastard Obama never should 'ave been born i say.

LoL

Hey wait a second y'all! (1)

gfolkert (41005) | about 3 years ago | (#37686734)

"Windows" was Orange Book C2 Rated in the 90s on WindowsNT v3.5SP3 on 3 certain Compaq Hardware Specs, with no CD Drive, Floppy Drive, no modem and no network connection. How much different could it be now. We have been told Windows 7 is the MOST SECURE Windows yet... so its gotta be better now than in the 90s. Right? The saying "Remember Ed Curry!" keeps popping up in my head for some reason.

The real problem is rank (0)

Anonymous Coward | about 3 years ago | (#37687052)

Having spent many years in uniform and in a scif you find holes all the time, but can't report on them for fear of reprisal.
It's 100% about CYA and the security goes "unoticed".
Those of us who were naive enough to think that pointing them out would result in them being fixed instead walked away with LRO's and Article 15s.
The military hierarchy does not support real computer/network security.
You don't rock the boat.

Not Surprised (0)

Anonymous Coward | about 3 years ago | (#37687240)

When I worked with the military as a contractor they were in the process of implementing a policy of turning off telnet access to their networks. When they did turn it off, they had not setup an alternative such as SSH, and as such no one could do their jobs. The admins at the Air Force bases didn't know how to setup SSH, and thus they simply went back and setup telnet.

Even during the interim "outage" when telnet was turned off, there was one base still allowing telnet access, and you could actually login there, and they had setup a kind of proxy that let you access any other air force base. It was like they created a backdoor to the systems of other air force bases.

It was simply an issue with the knowledge level of the admins that seemed prevalent across the 30+ air force bases that I worked with. Probably alot to do with the environment and their methods of encouraging advancement, training, and continual education.

An RFC for Weapons Systems Control Networks (1)

BenJCarter (902199) | about 3 years ago | (#37687340)

The drone control systems should be completely isolated physically. A secure drone control network should be devoid of any physical/wireless/removable media connection to anything other than drones and other drone control devices under local command. This must include input vectors such as removable media or anything other than secure updates installed by military personnel.

Think STUXnet.

Or perhaps SINOnet?

Paranoid? Or not paranoid enough?

Re:An RFC for Weapons Systems Control Networks (1)

BenJCarter (902199) | about 3 years ago | (#37687358)

Aww, I said should when I meant MUST. As in "A secure drone control system MUST be completely isolated physically. A secure drone control network MUST be devoid of any physical/wireless/removable media connection to anything other than drones and other drone control devices under local command. This MUST include input vectors such as removable media or anything other than secure updates installed by monitored military personnel.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?