Bad flash drive caused worst U.S. military breach

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://news.cnet.com/8301-27080_3-20014732-245.htm

A malware-laden flash drive inserted in a laptop at a U.S. military
base in the Middle East in 2008 led to the "most significant breach
of" the nation's military computers ever, according to a new magazine
article by a top defense official.
The malware uploaded itself to the U.S. Central Command network and
spread undetected on classified and unclassified computers creating a
"digital beachhead, from which data could be transferred to servers
under foreign control," William J. Lynn III, U.S. deputy secretary of
defense, wrote in his essay in the September/October issue of Foreign
Affairs.

"It was a network administrator's worst fear: a rogue program
operating silently, poised to deliver operational plans into the hands
of an unknown adversary," he wrote. This previously classified
incident was the most significant breach of U.S. military computers
ever, and it served as an important wake-up call. The Pentagon's
operation to counter the attack, known as Operation Buckshot Yankee,
marked a turning point in U.S. cyberdefense strategy."

Lynn doesn't say who was believed to be responsible for the breach,
but says the malicious code on the flash drive was placed there by a
"foreign intelligence agency." In his essay, entitled "Defending a New
Domain: The Pentagon's Cyberstrategy," (registration required for full
article) Lynn estimates that more than 100 foreign intelligence
organizations are trying to break into U.S. networks and said some
governments have the ability to disrupt parts of the U.S. information
infrastructure.
Military and civilian networks in the U.S. are scanned millions of
times each day and thousands of files, including weapons blueprints,
operations plans, and surveillance data, have been stolen by
adversaries, he says. The military's global communications backbone
alone covers 15,000 networks and 7 million computing devices in dozens
of countries, according to Lynn.

"Hackers and foreign governments are increasingly able to launch
sophisticated intrusions into the networks that control critical
civilian infrastructure. Computer-induced failures of U.S. power
grids, transportation networks, or financial systems could cause
massive physical damage and economic disruption," he wrote. Meanwhile,
Lynn warns of the threat from products shipped to the U.S. being
tampered with and said counterfeit hardware has been detected in
systems purchased by the Defense Department.
"Rogue code, including so-called logic bombs, which cause sudden
malfunctions, can be inserted into software as it is being developed.
As for hardware, remotely operated 'kill switches' and hidden
'backdoors' can be written into the computer chips used by the
military, allowing outside actors to manipulate the systems from
afar," he wrote. "The risk of compromise in the manufacturing process
is very real and is perhaps the least understood cyberthreat.
Tampering is almost impossible to detect and even harder to
eradicate."

To deal with these varied and mounting threats, the Pentagon
recognizes cyberspace as a "new domain of warfare," that is just as
critical to military operations as "land, sea, air, and space," Lynn
wrote.

The Defense Department needs a proper organizational structure to
handle threats in cyberspace, needs to be able to respond quickly, and
must ensure that civilian infrastructure is secure, he said. The
Pentagon also must hire more trained cybersecurity professionals and
innovate faster.

"Cyberattacks offer a means for potential adversaries to overcome
overwhelming U.S. advantages in conventional military power and to do
so in ways that are instantaneous and exceedingly hard to trace. Such
attacks may not cause the mass casualties of a nuclear strike, but
they could paralyze U.S. society all the same," he wrote. "In the long
run, hackers' systematic penetration of U.S. universities and
businesses could rob the United States of its intellectual property
and competitive edge in the global economy."
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php