Exclusive: Army Admits To Major Computer Security Flaw

[InfoSec News <alerts () infosecnews org>]

http://www.buzzfeed.com/justinesharrock/exclusive-army-admits-to-major-computer-security-flaw

By Justine Sharrock
BuzzFeed Staff
August 30, 2013

The United States Army's Deputy of Cybersecurity Roy Lundgren has 
confirmed with BuzzFeed the existence of a major computer security flaw 
that enables unauthorized access to users without proper security 
clearance. They say the best fix is to make soldiers aware of proper 
conduct, instead of fixing the technology itself.

Countless computers, and the soldiers who use them, remain vulnerable to a 
simple hack, which can be executed by someone with little or no security 
expertise.

The hack allows users with access to shared Army computers to assume the 
identities of other personnel, gaining their securities clearances in the 
process, and having their activity logged as that user.

In order to log into a shared Army computer you need to insert your 
personal Common Access Code military ID. Each card contains a chip that 
has the individual soldier’s permissions and security details, and which 
helps the military track your activity. Once you remove the card, you are 
fully logged out. But the hack overrides that system during the shut down 
period.

"There are instances where the log-off process does not immediately 
complete upon removal of the CAC. This occurs when the system is running 
logoff scripts and shutting down applications," Lundgren told BuzzFeed. 
"The period of time that a system can be accessed following CAC removal 
before system logoff completes is normally not sufficient to gain 
unauthorized access."

[...]

--
Find the best InfoSec talent without breaking your
recruiting budget! Post a Job, $99 for 31 days.
Hot InfoSec Jobs - http://www.hotinfosecjobs.com/