Pentagon finds holes in DMS

[InfoSec News <isn () C4I ORG>]

http://www.fcw.com/fcw/articles/2001/0305/web-eval-03-07-01.asp

BY George I. Seffers
03/07/2001

The Pentagons latest operational test and evaluation report found
substantial shortfalls with some of the Defense Departments biggest
information technology systems, including security holes in the
Defense Message System.

The annual report of the Director, Operational Test and Evaluation,
was delivered to Congress in February and made public in early March.
The report includes the Pentagons assessment of all major systems
tested and evaluated in 2000 as part of the acquisition process.

Among other things, the report found that DMS is not fully secure.
Testers were able to penetrate the system several times, including the
five DMS test sites, its infrastructure nodes, and the Regional Node
and Operations Security Center.

DMS is a $1.6 billion program designed to provide writer-to-reader
message services for classified and top-secret information to all
defense users at their desktops.

The primary mode of infiltrating DMS included the exploitation of
so-called trust relationships. Microsoft Corp. Windows environments
within a site domain rely on trust relationships across the domain.
Thus, DMS depends on the level of security maintained in other systems
operating in the same domain, the report explained.

"Weak passwords, clear-text scripts/files with sensitive information,
and lax procedures continued to cause most vulnerabilities," the
report stated. "[Regional Node and Operations Security Center]
security is hampered by lack of a firewall."

In addition, Pentagon testers found that messaging between DMS and
existing Pentagon and allied systems "suffered due to missing routing
information and procedural problems." It also states, "Errors in
implementing important change notifications are indicative of system
immaturity and lack of attention to detail by system administrators."

Other systems noted in the evaluation report included:

* Global Combat and Support System: During testing, users had trouble
  getting information and had little confidence in it once they did.

* Maneuver Control System: The evaluation identified shortfalls in
  database accuracy, interoperability, logistics supportability and
  user acceptance. Performance likely would erode further in a
  battlefield environment, the report stated.

* Theater Battle Management Core System: The evaluation showed more
  than 500 deficiencies, primarily in data integrity and a lack of
  timely dissemination of the air battle plan to other system nodes.

* Land Warrior: The report noted that the restructured program looks
  good, but challenges remain, especially in the integration of all
  the subsystems.

* Army digitization: The report noted that much progress has been
  made, but current capabilities are still immature.

* Army Force XXI Battle Command, Brigade and Below: The evaluation
  found significant improvement, but the system may not be scalable up
  to division level.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".