Defense Dept. Not Planning On Closing Security Hole That Resulted In Wikileaks Disclosure… Until 2013
from the but..-but...-kill-manning! dept
One of the big points that’s been completely lost in the debate over Wikileaks and Bradley Manning allegedly leaking a bunch of government info to Wikileaks is just how easy it was to do so. Some reports have noted that millions of people had access to the same info, and it’s quite likely that plenty of others “leaked” at least pieces of it (not necessarily to Wikileaks, but out into the world). Some are beginning to point out just how incredibly slow the Defense Department has been in trying to be more secure with its network. While they were quick to arrest Manning, actually doing something about how easy it was to leak took months. And, even worse, it looks like the major security holes in the system won’t actually be closed until 2013. So, government leakers have a few more years…
Filed Under: defense department, security, wikileaks
Comments on “Defense Dept. Not Planning On Closing Security Hole That Resulted In Wikileaks Disclosure… Until 2013”
Every country with any sort of Intelligence agency
would have had access to all this stuff long ago. A oupl eof hundred quid would have bought it for them.
I thought this wikileaks business was over. To be honest I’m quite tired of hearing about it. The government should just be transparent and disclose how they feel about wiki leaks. They have given themselves the right to do whatever they choose regarding national security. No use pretending.
Re: Re:
Wikileaks has 261,000 State Department cables. As of today, 6693 have been released. Ones assumes that Wikileaks and the 5 newspapers that have access to the full set, are releasing the most interesting ones first. This will be going on for months if not years.
whatever
If someone put some cookies in a sealed glass box at my workplace, then made me sign a dozen forms stating that I could be executed for treason if I ate any of the cookies, I think that would be enough security to prevent me from eating them until 2013 when they used bulletproof lexan for the box.
Re: whatever
And your point is ?
This is just a typical example of Feyman’s security maxim ( found here
“During the Manhattan Project, when physicist Richard Feynman pointed out physical security vulnerabilities, he was banned from the facility, rather than having the vulnerability dealt with (which would have been easy).”
Re: whatever
If someone put some cookies in a sealed glass box at my workplace, then made me sign a dozen forms stating that I could be executed for treason if I ate any of the cookies, I think that would be enough security to prevent me from eating them until 2013 when they used bulletproof lexan for the box.
You forget the fundamental point. The magnitude of the punishment is irrelevant because most rulebreakers don’t believe that they will be caught. If they did then even a modest punishment would suffice.
2013?
It doesn’t matter as the world ends next year!
Re: 2013?
Yeah, 2013 sounds just far enough away for people to forget there was a promise made back in 2011 about fixing the networks. In 2013, things will have changed enough so that they can either fix the problem, or more likely just shrug it off again saying “well we promised something two years ago, but that was two years ago, and now is now, so we just won’t do anything.”
Either way, government transparency and accountability is NOT a problem, and it shouldn’t be ‘fixed’. It’s a good thing.
Re: Re: 2013?
Either way, government transparency and accountability is NOT a problem, and it shouldn’t be ‘fixed’. It’s a good thing.
Actually, it is a problem. We need more transparency and accountability. Tools that aid us in this effort are welcomed. I’m working on one and I will put it up on git when I’m reasonably satisfied (hopefully, someone can help fix my pathetic code). I’m pretty optimistic that these tools will continually be made and improved.
Re: Re: Re: 2013?
Actually, it is a problem. We need more transparency and accountability.
That’s exactly what he said, though it was open to misinterpretation. A slight change makes it clearer I think: “[Having] government transparency and accountability is NOT a problem, and it shouldn’t be ‘fixed’. It’s a good thing.” 🙂
see, that delay is just the current administration keeping their promise of more transparency in government.
the real issue is that no one asked exactly *HOW* they were going to do it and they didnt offer that info willingly. this must be how!
aint it great to live in a country where politicians keep their campaign promises?!
No, really....
Security won’t be fixed till 2013? WHY, are we wasting money paying these blockheads? MY and YOUR tax dollars, bazillions of them, are being spent recklessly! Time to change the guard!
It doesn't matter
They should take a lesson of what not to do from the TSA. Spending all your energy worrying about the last threat doesn’t really help you much in dealing with the next one.
The real problem here is how many people have access to this information and how easily and anomalously it can be duplicated these days. It also doesn’t help that the vast majority of this “classified” information should just be labeled “embarrassing” .
– Shouldn’t matter as the world ends in 2012. This explains the Palin 2012 10,000 Mayans can’t be wrong bumper stickers.
They have no idea how to secure the systems, so they have to take bids from the sweetheart companies, who will want tons of money. They will then award a contract, and skip doing background checks on the staff implementing “security”. They then will end up overbudget and need more money to pay for their overages on their net connection uploading juicy bits to wikileaks. They will get the system in place, and then discover it creates more holes than it solves. The system will be scrapped, 4 years later, and they will reboot the project with another open bid process only open to the friends of the congress critters.
This is what happens when they try to use the buzz words to have the synergy happen and get results.
Easier answer, stop having 40 levels of secrets. Stop trying to make things secret that are not. We need to keep some things secret but not all of the junk out there needs to be, if you reduce the pool of things designated that way you can control the access better. Oh and disable flash drives and cd burners. *blink* I can has 100 million for consulting now?
Re: Re:
I will respond to your comments one at a time.
– lol, I hadn’t heard that Palin bumper sticker
– It looks like the design is already in place. It will take two years to fully deploy. The expertise is there, however those who have command authority may not understand computer security. The NSA, which is part of DoD, certainly understands security as well as anyone. The NSA is also tasked with protecting the federal government’s computer networks. The DoD’s approach to security has been lackadaisical considering they have some of the best experts on the planet. Manning’s comment in the Manning/Lamo chat logs, shows the NSA was involved in monitoring SIPRNet for external attacks but looking for internal anomalies was not a priority. A Host Based Security System (HBSS) will be complete in June of this year. This was 40% in place (only in continental US) already on SIPRNet at the time of Manning’s leak. This monitors transfers to removable media. The DoD will incorporate the NSA designed Audit Extraction Module (AEM) to HBSS.
The crux of the problem is that SOME computers (12%) with access to SIPRNet have to allow data transfers to removable media (Sneakernet). This is needed to allow sharing of information with coalition partners, weapons systems, and other systems out in the battlefield that don’t have access to SIPRNet. Their solution is to monitor and audit these transfers.
– They shouldn’t have to do background checks. It may seem counter-intuitive to lay people, but the security design should be completely open. What is meant by the pejorative phrase “security through obscurity”, is that keeping the design of a security system secret is false security. It shouldn’t matter if Al Qaeda or the Taliban have full access to the blueprints of security. The real security is through maintaining the secrecy of passphrases, keys, or digital certificates. Being an open design allows important feedback from security experts outside of the US military and government. This is how AES was designed. Unfortunately, a lot of military and government officials (corporate as well) still believe in security through obscurity. However, it is needed in situations where there is not, and never will be, a good technical solution. Case in point, DRM.
– I am not sure if you are just being sarcastic here but I don’t see this as at all likely. It is easy to have a cynical viewpoint about security having witnessed nearly two decades of horrendous security problems in operating systems, browsers and other internet applications. Doing security correctly to eliminate all vulnerabilities is very hard, but security software doesn’t usually create new holes.
– I am not at all sure having 40 levels of secrets (and also compartmentalized by need to know) is a problem. Certainly most security infrastructure is capable of handling hierarchical access. So, 40 levels is no different than 2. It can viewed as a way to allow as much access as desired as well as a way of allowing only as little access as desired.
– Total agreement! Insider leaks are the hardest to prevent. The view that something in particular shouldn’t be secret is the motivation for leaking. My gripe with Bradley Manning is that he (allegedly) released far more information than he could have possibly reviewed himself. Given that, I don’t fully trust his motivation
– A malware infected flash drive was used to target US military computer systems in 2008. As a result, flash drives were temporarily banned. Malware can be controlled by disabling the AutoPlay function under Windows. I find it odd that writable CDs and DVDs weren’t similarly banned. Yes, do it for the 88% of SIPRNet computers that don’t need Sneakernet.
I would like my 100 million as well.
Re: Re: Re:
I’ll go halfsies on it with ya.
My fear is that the system would be the same as everything else congress gets to touch.
We do not want this new plane, its a waste. But they ram the money and funding through and force it to continue to pay back some backroom deal.
Someone gets a wise idea about what it SHOULD do from someones glossy presentation, and it gets diluted as things get shoved into it.
The extra levels of security was mainly a dig about what was “classified” that was leaked in the Manning case. It is embarrassing but hardly handing out the names and locations of CIA operatives.
While Manning might not have been able to review all of the information, some of what was contained in the leaks is a revelation that “our” Government is acting in ways that they themselves publicly denounce. That level of hypocrisy might have been enough to help motivate him further.
It seems sad that it took being embarrassed like this to get them to actually take security seriously. And part of me wonders where did any money allocated to hardening their systems before get spent.
Re: Re: Re: Re:
Just a note, It would have been easier to read my response if the lines at the beginning of each of my paragraphs weren’t deleted. They were the references in your comment but I enclosed them in “” forgetting that this would interpreted as HTML, and illegal HTML at that.
Re: Re: Re:2 Re:
Hmm.. I enclosed them in lesser than and greater than symbols which are always interpreted as HTML. Illegal stuff is deleted.
They are going to secure the information behind the NYT Paywall.
Isn't this the same government...
These are the same people that allowed one man to swindle them for YEARS based on the same faulty programming software. It was better to pay him than admit a mistake, correct?
The word incentive becomes ever more powerful as we look into the inanity that is US government.
Implementation of controls within an organization as widely dispersed as the DoD is no trivial matter. Two years to implement such controls (which involves much more than just changes to IT systems) is hardly unreasonable.
Re: Re:
I have to disagree. They could have a system in a couple of weeks had they gone with password/passphrase based authentication. There a several types of authentication servers available. You can scale up by having multiple servers. Multiple classification levels can be implemented with group access. The time consuming part is assigning documents to groups. However, you could start with a crude mass assignment and make adjustments without bringing the system down. As long as everyone can remember their passphrase under the stress of warfare, this should work.
Re: Re: Re:
lol, you think it would be possible to deploy an IT solution across the entire defense department in two weeks?? That is very very far from the reality. Consider an organization of say 50 people or less. Even with no red tape at all, you have to analyze requirements, design a solution, specify, order and receive hardware if necessary, and develop, test, and deploy software. *Maybe* you could do that in two weeks at that 50-person company. Add another few hundred thousand people and a few million lines of government regulations, and I’m also not surprised two weeks becomes two years.
Re: Re: Re: Re:
I’m a technical person, so forgive me if I do not add in a bureaucracy requirement. I would assume that if the DoD felt there was an urgency to this, red tape could have been bypassed to put, at least an initial solution, in place. Authentication algorithms and software is not a new technology. Solutions have already been designed. The DoD could have adopted either Kerberos or RADIUS as a solution to gain access, at a rough grained level, to entire servers as a first step. This is done on top of an existing infrastructure. The only change for those millions of users is to use a RADIUS client program that has been installed on their computer. They log in with a passphrase and gain access to a subset of servers. In addition to some number of authentication servers, the existing servers have to add a top layer to check for authentication. Adjustments to access can be made on the fly without further involvement from the mass of users.
The cost for this would be a drop in a very large bucket taking into account the DoD’s total budget. Scaling up is not a big problem. Facebook authenticates more than 500 million. This could be implemented as a temporary solution while the red tape unwinds and the endless details are discussed.
The DoD decided not to go this way which means someone or some committee decided it was enough, for the next year, to further restrict Sneakernet capability
Re: Re: Re:2 Re:
I would assume that if the DoD felt there was an urgency to this, red tape could have been bypassed to put, at least an initial solution, in place.
I have no idea. It seems quite possible that the person or people who have to decide on this don’t have the authority to bypass anything, and the people who have the authority to cut the red tape lack either the knowledge or the interest to get involved.
The DoD decided not to go this way which means someone or some committee decided it was enough, for the next year, to further restrict Sneakernet capability
Yeah, taking the easy way out. Gee, not like that’s going to come to bite them, huh?
The article from Firedoglake misleads by summarizing SIPRnet as being either secure or not secure. There are three, somewhat independent, aspects of security at work here; ability to bridge the air gap between SIPRnet and the rest of the universe, authentication and finer grained access, logging and auditing capability. Each one will make the system more secure.
SneakerNet was and is still needed. They point out the malware incident in 2008 triggered by an infected thumb drive. Malware can be controlled by disabling autorun capability. I am not sure if that was addressed. The DOD apparently decided to restrict thumb drives but still allowed writeable CDs. After Wikileaks, they are restricting further, only allowing 12% of their computers Sneakernet capability and somehow(?) monitoring people and transactions on these. This is enough, in itself, to have prevented a Bradley Manning from leaking mass amounts of material. Someone else, a little more trusted, can still do a mass leak.
What they are ultimately doing is making multiple classification levels for info and assigning everyone a capability to access some subset of those levels. They are doing this by creating a PKI and issuing cards with digital certificates. DoD, apparently, did not want to do passwords. I am a bit dumbfounded if they don’t do two-factor authentication. The State Dept. has already moved their cables over to JWICS (the top secret network). I think that is overreacting. Maybe it’s temporary. Certainly, the vast majority of those don’t deserve top secret listing.
The final part is to put in a logging and auditing capability to monitor data transactions. The threat of monitoring is supposed to deter leaking.
They recognize there is a need to share information, particularly after 9/11. From the outside, it looks like they just let anyone with access to SIPRnet full access to all information stored on it. The full system won’t be finished till 2013, but that doesn’t mean that there is no more security than there was a year ago. The algorithms needed to implement such a system are well known. There are several different authentication systems in use elsewhere. The card system means it will take time to deploy.
One of the NSA’s responsibilities is developing computer and network security (e.g. SE Linux (Security Enhanced Linux) is derived from work done at the NSA). The DoD will be using an auditing system developed by the NSA. There is an interesting quote in the Lamo/Manning chat logs.
i even asked the NSA guy if he could find any suspicious activity coming out of local networks? he shrugged and said? ?its not a priority?
Nobody expected a military insider would do a mass leak. That was naive.