Options
Wow, virus hits US drone fleet
Bl8ckr0uter
Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
in Off-Topic
Comments
-
Optionsjamesp1983 Member Posts: 2,475 ■■■■□□□□□□"Check both the destination and return path when a route fails." "Switches create a network. Routers connect networks."
-
OptionsDevilsbane Member Posts: 4,214 ■■■■■■■■□□Ever wanted a job with the air force? Applications are being accepted NOW!Decide what to be and go be it.
-
OptionsHypntick Member Posts: 1,451 ■■■■■■□□□□“We think it’s benign. But we just don’t know.”
That scares the crap out of me.WGU BS:IT Completed June 30th 2012.
WGU MS:ISA Completed October 30th 2013. -
Optionsslinuxuzer Member Posts: 665 ■■■■□□□□□□Nice, I wonder how long it will be before a weapons system is rooted and use to actually launch an attack on the US or our allies?
-
Optionsjts1234 Member Posts: 19 ■□□□□□□□□□I applaud the speaker's honesty.
I also foresee uncomfortable questions in the near future of the drone program, followed by fifth amendment pleas.“We think it’s benign. But we just don’t know.”
That scares the crap out of me. -
Optionspowerfool Member Posts: 1,666 ■■■■■■■■□□slinuxuzer wrote: »Nice, I wonder how long it will be before a weapons system is rooted and use to actually launch an attack on the US or our allies?
Well, it depends on the motive. If it is a purely malicious and/or terrorism, they would turn them back against the US. If it were strategic, they would aim them at a US ally or a lukewarm interest (like Russia or China) as that would engage another force against the US.
This is scary crap... no bones about it.2024 Renew: [ ] AZ-204 [ ] AZ-305 [ ] AZ-400 [ ] AZ-500 [ ] Vault Assoc.
2024 New: [X] AWS SAP [ ] CKA [ ] Terraform Auth/Ops Pro -
OptionsRobertKaucher Member Posts: 4,299 ■■■■■■■■■■I recall around 2 years ago we discussed the vulnerabilities of these systems. I am so not suprised it was not addressed. This is no different than the BEAST exploit. A vulnerability is recognized and no body does anything about it for years until they must...
-
OptionsChivalry1 Member Posts: 569For some reason I am not surprised. This is a classic example of convenience and cost giving way to security."The recipe for perpetual ignorance is: be satisfied with your opinions and
content with your knowledge. " Elbert Hubbard (1856 - 1915) -
Optionspowerfool Member Posts: 1,666 ■■■■■■■■□□RobertKaucher wrote: »I recall around 2 years ago we discussed the vulnerabilities of these systems. I am so not suprised it was not addressed. This is no different than the BEAST exploit. A vulnerability is recognized and no body does anything about it for years until they must...
Heh, I just wrote a paper for my National Cybersecurity Policy and Law course... the issue was liability and what sort of policy should be implemented in regards to the private sector for security on the Internet. The number one issue out there is still unpatched and unmaintained systems. Beyond that, by implementing Defense in Depth, a single vulnerability shouldn't be detrimental. As with all problems, it usually isn't one big problem... it is a series of small problems that could easily be addressed, but were excused for some reason or another.
How many times have you been late to work because of one thing, versus being late because of several small impediments (hit snooze, shirt was too wrinkled, burnt breakfast, dog made a mess, had to stop and get gas, small traffic jam or ticket). That starts to sound like a crappy day real quick... and it is that sort of chain of events that leads to bad consequences.
From what I have read... it looks like it was a key logger.2024 Renew: [ ] AZ-204 [ ] AZ-305 [ ] AZ-400 [ ] AZ-500 [ ] Vault Assoc.
2024 New: [X] AWS SAP [ ] CKA [ ] Terraform Auth/Ops Pro -
OptionsRobertKaucher Member Posts: 4,299 ■■■■■■■■■■How many times have you been late to work because of one thing, versus being late because of several small impediments (hit snooze, shirt was too wrinkled, burnt breakfast, dog made a mess, had to stop and get gas, small traffic jam or ticket). That starts to sound like a crappy day real quick... and it is that sort of chain of events that leads to bad consequences.
From what I have read... it looks like it was a key logger.
I've done some mentoring of both younger and less experienced IT workers and there is a certain trait among the less experienced that relates to this sort of thing and when you combine lack of experience with youth it is even harder for the individual to see the problem. Here is a paraphrased conversation I had with one of these guys...
N00b: "Bob, you always try to plan for everything that could go wrong. There is no way you can prevent everything."
Me: "It's not that I am trying to plan for every potential problem. By following best practices I'm trying to mitigate the risk of small mistakes that add up into a big tragedy. When accidents happen, it's not because someone intentionally did something wrong. The guy who checked the brake system on the bus figured the bus could go another 100 miles, eventhough the mainteneance plan said they needed to be changed that day. The guy who had to check the tire preassure on Friday left early and figured he'd take care of it next week. The bus diver takes an extra shift to make some extra cash but he's driving more hours in a single day than policy allows. Each of these little things taken individually is trivial, but taken together, they are not." -
OptionsEveryone Member Posts: 1,661A friend of mine asked me to weigh in on this the other day, as he knew I have a bit of insider knowledge in this area... As they say, I've "been there, done that, and got the t-shirt".
I'm fairly certain this was the result of a stupid user not following the rules. I don't think this was anything targeted. That person will be found, and an example will be made of them.
This is absolutely NOTHING like stuxnet. There's no danger of drones being remotely controlled via this virus. -
OptionsRobertKaucher Member Posts: 4,299 ■■■■■■■■■■A friend of mine asked me to weigh in on this the other day, as he knew I have a bit of insider knowledge in this area... As they say, I've "been there, done that, and got the t-shirt".
I'm fairly certain this was the result of a stupid user not following the rules. I don't think this was anything targeted. That person will be found, and an example will be made of them.
This is absolutely NOTHING like stuxnet. There's no danger of drones being remotely controlled via this virus.
As a disclaimer to what I am about to say - I do not have any hands-on knowledge of these systems. But I think one major area of danger is when we mistake a generalized system for proprietary, imbeded systems. Just as an example, take a specialized mobile device used for performing X function in a manufacturing environment sold by vendor Y as a part of their mega-ERP system. From the outside the mobile device is packaged to look like a completely proprietary device - but it runs Windows CE or Windows XP embeded. Now you have an unpatched system on your network that is, as far as you are concerned, a blackbox. From a security perspective it does not matter if this is a drone or a whatever as an attacker can compromise it and move laterally in the environment. So that sucks from a security perspective but itself is no big deal. It's typical. I've seen managed swithces with Linux based OS that were compromised and the attacker had no idea what he had owned. He thought it was a server and you could see in the logs he was running commands trying to figure out if it was a web server or what. This is likely the same sort of situation. The attacker was totally unaware of what he had compromised. This still inspire no confidence in me that the drones cannot be owned.
Combine the "virus" in question with this:
Insurgents Hack U.S. Drones - WSJ.com
Now we are starting to get to where PowerFool was going with his comments. Cumulative errors causing big problems. I'm not saying "OMG the sky is falling!!! The drones need to be taken out of the air!!! Or we will all die!!!" I think what wee are getting at here is that there are issues that need to be both acknoledged and addressed as the drones are too important for someone to be allowed to "just not follow the rules" and get rooted. It might not have been targeted this time... -
OptionsMrAgent Member Posts: 1,310 ■■■■■■■■□□One thing that that people fail to realize is that the drones are on a seperate network which is not connected to the internet in any shape or form. Now while the workstations they use to connect to the drones may be affected with a keylogger (probably by someone plugging in a usb device), it wont be transmitted anywhere, nor will remote control be possible by anyone outside of the agency providing the drone.
-
OptionsEveryone Member Posts: 1,661One thing that that people fail to realize is that the drones are on a seperate network which is not connected to the internet in any shape or form. Now while the workstations they use to connect to the drones may be affected with a keylogger (probably by someone plugging in a usb device), it wont be transmitted anywhere, nor will remote control be possible by anyone outside of the agency providing the drone.
^^ This.
There's too much of a disconnect in the way these things work. This was most likely a common virus that at least one person who has posted in this thread has dealt with at some point or another. Easy enough for an infection to happen due to stupid users, but not so easy for it to actually "phone home". The systems that control the drones are on isolated networks. A virus infecting it could steal data the same way it infected it (careless use of removable media), but it would never allow a person to remotely control a drone.
That being said, a targeted virus, if smart enough, could control a drone, but it would be severely limited. i.e. not allow it to take off, or crash it shortly after take off. While they are unmanned, they don't fly themselves. Without a human controlling them, they won't get very far. I said "THIS virus" for a reason.
Do you really think these issues aren't being acknowledge and addressed? I know from experience that they are, and "heads will roll". The moron who caused the infection will be punished, and so will the idiots who leaked the info to the media. Anyone who has access to the system at all is going to have to endure all sorts of retraining and briefings on how to prevent it from happening again.
It will happen again, just like it happens on EVERY network. Why? Because USERS are stupid. Just when you think you've beaten all the stupid out of your users, you have a brand new batch of stupid coming in and using your network. -
OptionsRobertKaucher Member Posts: 4,299 ■■■■■■■■■■One thing that that people fail to realize is that the drones are on a seperate network which is not connected to the internet in any shape or form. Now while the workstations they use to connect to the drones may be affected with a keylogger (probably by someone plugging in a usb device), it wont be transmitted anywhere, nor will remote control be possible by anyone outside of the agency providing the drone.
If you can get the payload on to the system, you can get the data off eventually. If someone You are looking at this from a single angle of attack. Just because an accidental attack only partially worked does not mean somthing more sophisticated and targeted would not work. It was already demonstrated that insurgents were able to view the video feed from approaching drones, so to say that "it won't be transmitted anywhere" may not be ture. All I can can say is that I don't like it when I hear people say "Oh, such-and-such was not a big deal. It was an anomoly and will never happen again." As if the problem can just be ignored. Because it always happens again. I have too much experience in this field to EVER accept anyone's assurances that something "was a one off event".
My team and I are working on a data model right now and we have serious concerns about the validity of the data we are being asked for. When we expressed our concerns we were told "Oh, that never happens." Of course we found one instance when it did: "Oh, that was just a special case." And then another, and then a 3rd. When does a special case become un-special? If one guy plugged in a USB stick once, it likely happened other times as well. I know these systems are in highly secure environments; so I'm not really worried that we are going to see drones being taken over - but I will always play devil's advocate on these sorts of issues. I've just seen too much stupidity in my life. -
OptionsRobertKaucher Member Posts: 4,299 ■■■■■■■■■■Do you really think these issues aren't being acknowledge and addressed? I know from experience that they are, and "heads will roll". The moron who caused the infection will be punished, and so will the idiots who leaked the info to the media. Anyone who has access to the system at all is going to have to endure all sorts of retraining and briefings on how to prevent it from happening again.
It's just like I said with teh SSL/TLS issue. Ignore, ignore, ignore until you have to deal with the consequences. This is what I don't like. I'm not saying it isn't being addressed; I'm complaining that it was not addressed until it had to be addressed due to this event.It will happen again, just like it happens on EVERY network. Why? Because USERS are stupid. Just when you think you've beaten all the stupid out of your users, you have a brand new batch of stupid coming in and using your network.
Designers, developers, and engineers unconsiously conspire to push users who are strapped for time into making errors. Look at this:
http://homepage.mac.com/bradster/iarchitect/images/aspack.gif
WTH? Clicking Open File does not immediately open a file. Clicking Compress does not immediately compress a file... But guess what "exit" does? Having a tab that does that is just stupid.
Here is a great example: http://www.baddesigns.com/starbucks.html
This
is why humans work together. We can catch each other's mistakes. But when stupid behavior is seen and not corrected around critical systems we end up with things like BEAST and military drones with keyloggers and Three Mile Island.
The design of everyday things - Donald A. Norman - Google Books
So don't think I believe these things are not being addressed or that I am being an alarmist and saying the drones are going to be hacked and blow up New York. What I am saying is it's not as hard to fix big problems as people think. But you have to do the work up frnt. It's easy to blame the users. Why was this guy even allowed to do whatever he did to get the infection? -
OptionsEveryone Member Posts: 1,661RobertKaucher wrote: »Why was this guy even allowed to do whatever he did to get the infection?
What does being allowed have to do with it? Where does it say whoever was responsible was allowed to do it? People aren't allowed to do all sorts of things, but they still do them anyway.
I can assure you the issue isn't just now being addressed because of this, it was an issue that has been addressed over and over and over and over again. People still do things no matter how many times they're told not to.
I'll use a facility I work in without going into too much detail on it as an example. The entrance has several signs stating "No cell phone or electronic devices beyond this point." People are reminded via e-mails and routine briefings that they are NOT allowed to bring any electronic devices into the building. There is a spot in the man trap to empty your pockets and leave these things at before entering. There are cameras all over the place. Entry is controlled with 3 factors of identification.
Do you think all this keeps people from bringing their cell phones into the building? Nope! We catch people doing it all the time. So far it's always been unintentional. Too bad for the guy who couldn't remember to take his phone out and leave it behind before entering. Now his phone gets destroyed, and he loses his job.
These guys are bombarded with what they can and can't do on a regular basis. Someone always does it anyway, and you end up with these types of stories. If you read it, HBSS, which was a suite of McAfee products last time I had to touch it, picked it up. That is what is what was in place to catch the stupid mistakes that people make. It worked. So like I said, the issue of someone not following the rules will be READDRESSED. It's not like it's just coming up for the 1st time, it's just the first time YOU'VE heard of it.
This wasn't "OMG they're doing it wrong and so incredibly vulnerable!" that people are making it out to be. It's more like "Oh crap it finally happened to us, good thing we caught it."
There's one thing the Military does that I always wish I could still do in the Corporate sector, and that's shut down anything that doesn't comply with policies. I got to shut down entire networks due to people not taking care of identified vulnerabilities in a timely manner when I worked in the DoD. Oh you thought the message we sent you saying "Hey patch these systems" was just a suggestion? Well guess what, your network is now isolated. You have 0 access to anything outside your LAN until everything is brought to compliance. If you want services restored, you better prove you've fixed the problem. Have fun explaining to your superiors that they can't accomplish the mission because you didn't do your job.
Oh how I've wished I could do that in the Corporate world. -
OptionsRobertKaucher Member Posts: 4,299 ■■■■■■■■■■What does being allowed have to do with it? Where does it say whoever was responsible was allowed to do it? People aren't allowed to do all sorts of things, but they still do them anyway.I can assure you the issue isn't just now being addressed because of this, it was an issue that has been addressed over and over and over and over again. People still do things no matter how many times they're told not to.I'll use a facility I work in without going into too much detail on it as an example. The entrance has several signs stating "No cell phone or electronic devices beyond this point." People are reminded via e-mails and routine briefings that they are NOT allowed to bring any electronic devices into the building. There is a spot in the man trap to empty your pockets and leave these things at before entering. There are cameras all over the place. Entry is controlled with 3 factors of identification.
Do you think all this keeps people from bringing their cell phones into the building? Nope! We catch people doing it all the time. So far it's always been unintentional. Too bad for the guy who couldn't remember to take his phone out and leave it behind before entering. Now his phone gets destroyed, and he loses his job.These guys are bombarded with what they can and can't do on a regular basis. Someone always does it anyway, and you end up with these types of stories. If you read it, HBSS, which was a suite of McAfee products last time I had to touch it, picked it up. That is what is what was in place to catch the stupid mistakes that people make. It worked. So like I said, the issue of someone not following the rules will be READDRESSED. It's not like it's just coming up for the 1st time, it's just the first time YOU'VE heard of it.
This wasn't "OMG they're doing it wrong and so incredibly vulnerable!" that people are making it out to be. It's more like "Oh crap it finally happened to us, good thing we caught it."There's one thing the Military does that I always wish I could still do in the Corporate sector, and that's shut down anything that doesn't comply with policies. I got to shut down entire networks due to people not taking care of identified vulnerabilities in a timely manner when I worked in the DoD. Oh you thought the message we sent you saying "Hey patch these systems" was just a suggestion? Well guess what, your network is now isolated. You have 0 access to anything outside your LAN until everything is brought to compliance. If you want services restored, you better prove you've fixed the problem. Have fun explaining to your superiors that they can't accomplish the mission because you didn't do your job.
Oh how I've wished I could do that in the Corporate world. -
OptionsEveryone Member Posts: 1,661Direct quote from the article:Use of the drives is now severely restricted throughout the military. But the base at Creech was one of the exceptions, until the virus hit. Predator and Reaper crews use removable hard drives to load map updates and transport mission videos from one computer to another. The virus is believed to have spread through these removable drives. Drone units at other Air Force bases worldwide have now been ordered to stop their use.
When there is no network to transfer data between 2 systems, but you still have a need to get data from system A to system B, how do you do it? Removable media. Which is why there was an exception for these systems, and why it wasn't blocked on them like it is everywhere else. I can tell you that some sort of document was most likely signed by someone taking responsibility for this, as it was probably seen as an "Acceptable risk" upon implementation.
You can't always just disable everything as a blanket solution. People may have a legitimate need to do something a certain way. I'd say the chances were pretty well minimized, being isolated systems, in a secure facility. If you lock down the only method they currently have of transferring needed data between systems, how is the mission going to get accomplished?
With the USB stick example, these technical solutions you mention to attempt to block user stupidity are in place on 99% of the systems. Like I said, there have to be some exemptions to get the job done. Plus factor in that you have handfuls of people with permissions levels that would allow them to circumvent these technical solutions. Still a lot more secure than most anything else you'd see out there, but not 100% secure, nothing ever is.
People abuse exceptions when they find out about them, often because they think they are smart. "Oh I ran a virus scan on this USB stick at home, and it said it was clean, so it must be right? I should be able to plug it into this system at work that has no internet access so I can copy my MP3 files to it and listen to some music while I work. I know this system will let me even though the other ones won't, and I'm not really supposed to do it, but what harm is there in copying some music over to listen to?"