"We're in the top of the league."

[Aaron <apconole () yahoo com>]

Anyone else catch the 60-minutes story about Cyber warfare? There are a lot of interesting anecdotes from Admiral Mike 
McConnell (described in the story as the former top spy of the nation), Jim Lewis (director of the Center for Strategic 
and International Studies), and Jim Gosler.

Some of the more WTF things admitted were:
 - "Some foreign power" was able to penetrate the Pentagon by leaving infected thumbnail drives where military 
personnel would find them, and use them. On the plus side, NOW thumbdrives are banned.
 - In 2007, "Some unknown foreign power" penetrated the Department of Defense, Department of State, Department of 
Commerce, and they even think NASA, and stole terabytes worth of information. The method of attack wasn't disclosed as 
far as I remember.
 - Some medical database owned by the state of Virginia was stolen, rm'd, encrypted, and ransomed. Sean Henry, who was 
describing it, didn't comment on whether or not the state actually paid the money, but his response seemed to imply 
that they did.

One of the neat parts of the story was a quick blurb on the focus on making chips ourselves that hopefully provide some 
tamper-resistance through physical means rather than software means.

What I took away from the 60-minutes story was the following:
 - If someone is dedicated, they're getting in. All it takes is one stupid individual to undo all the security planning 
and procedure in the world. Even if it didn't, in some paraphrased words, McConnell says that he'd be shocked if there 
weren't infrastructure critical systems that weren't backdoored.
 - How is it that we have so many security practice standards (PCI DSS, SOX, and plethora of others) and yet, none of 
our systems are remotely secure? I'd assume that agencies like the Pentagon, DoD, DoS, and others aren't just tossing 
any random Windows 98 machine into the internet fray, but to have what one assumes is their 
"mega-extreme-mountain-dew-edition-security" machines get busted? Sure, one can argue that there's no protection from 
the "thumbnail drive attack," but it seems pretty crazy that we are so insecure. (sidenote: I guess this is what ZF0 is 
trying to prove, and largely it seems like they're right).
 - Will there ever be mandatory government compulsion for companies to fix vulnerabilities? Something like this is 
suggested, but it requires a hell of a lot of infrastructure and I'm doubting that there will ever be a strong push for 
it. Unless the "no power in winter" scenario described comes to light, which is completely possile.
 - Are these comments largely hype to get me, a viewer, "shocked" into fear? Is this real? Does anyone know?

Anyway, some musings on the story. Very rarely is there something on 60-minutes that gets to the core of InfoSec, so I 
figured I'd share. You can find a link to the story's transcript at 
http://www.cbsnews.com/stories/2009/11/06/60minutes/main5555565.shtml 
Hopefully others find it interesting. 

BTW: favorite quote from the article is the subject line.

-Aaron



_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave