Wow, virus hits US drone fleet

Bl8ckr0uter

No one is safe:

Exclusive: Computer Virus Hits U.S. Drone Fleet | Danger Room | Wired.com

jamesp1983

Bl8ckr0uter wrote: »

No one is safe:

Exclusive: Computer Virus Hits U.S. Drone Fleet | Danger Room | Wired.com

that's crazy. reminds me of stuxnet, although stuxnet was a directed threat.

Devilsbane

Ever wanted a job with the air force? Applications are being accepted NOW!

Hypntick

“We think it’s benign. But we just don’t know.”
That scares the crap out of me.

slinuxuzer

Nice, I wonder how long it will be before a weapons system is rooted and use to actually launch an attack on the US or our allies?

tpatt100

Did the drones become sentient? Lol

jts1234

I applaud the speaker's honesty.

I also foresee uncomfortable questions in the near future of the drone program, followed by fifth amendment pleas.

Hypntick wrote: »

“We think it’s benign. But we just don’t know.”
That scares the crap out of me.

powerfool

slinuxuzer wrote: »

Nice, I wonder how long it will be before a weapons system is rooted and use to actually launch an attack on the US or our allies?

Well, it depends on the motive. If it is a purely malicious and/or terrorism, they would turn them back against the US. If it were strategic, they would aim them at a US ally or a lukewarm interest (like Russia or China) as that would engage another force against the US.

This is scary crap... no bones about it.

RobertKaucher

I recall around 2 years ago we discussed the vulnerabilities of these systems. I am so not suprised it was not addressed. This is no different than the BEAST exploit. A vulnerability is recognized and no body does anything about it for years until they must...

Chivalry1

For some reason I am not surprised. This is a classic example of convenience and cost giving way to security.

powerfool

RobertKaucher wrote: »

I recall around 2 years ago we discussed the vulnerabilities of these systems. I am so not suprised it was not addressed. This is no different than the BEAST exploit. A vulnerability is recognized and no body does anything about it for years until they must...

Heh, I just wrote a paper for my National Cybersecurity Policy and Law course... the issue was liability and what sort of policy should be implemented in regards to the private sector for security on the Internet. The number one issue out there is still unpatched and unmaintained systems. Beyond that, by implementing Defense in Depth, a single vulnerability shouldn't be detrimental. As with all problems, it usually isn't one big problem... it is a series of small problems that could easily be addressed, but were excused for some reason or another.

How many times have you been late to work because of one thing, versus being late because of several small impediments (hit snooze, shirt was too wrinkled, burnt breakfast, dog made a mess, had to stop and get gas, small traffic jam or ticket). That starts to sound like a crappy day real quick... and it is that sort of chain of events that leads to bad consequences.

From what I have read... it looks like it was a key logger.

RobertKaucher

powerfool wrote: »

How many times have you been late to work because of one thing, versus being late because of several small impediments (hit snooze, shirt was too wrinkled, burnt breakfast, dog made a mess, had to stop and get gas, small traffic jam or ticket). That starts to sound like a crappy day real quick... and it is that sort of chain of events that leads to bad consequences.

From what I have read... it looks like it was a key logger.

I've done some mentoring of both younger and less experienced IT workers and there is a certain trait among the less experienced that relates to this sort of thing and when you combine lack of experience with youth it is even harder for the individual to see the problem. Here is a paraphrased conversation I had with one of these guys...

N00b: "Bob, you always try to plan for everything that could go wrong. There is no way you can prevent everything."
Me: "It's not that I am trying to plan for every potential problem. By following best practices I'm trying to mitigate the risk of small mistakes that add up into a big tragedy. When accidents happen, it's not because someone intentionally did something wrong. The guy who checked the brake system on the bus figured the bus could go another 100 miles, eventhough the mainteneance plan said they needed to be changed that day. The guy who had to check the tire preassure on Friday left early and figured he'd take care of it next week. The bus diver takes an extra shift to make some extra cash but he's driving more hours in a single day than policy allows. Each of these little things taken individually is trivial, but taken together, they are not."

Everyone

A friend of mine asked me to weigh in on this the other day, as he knew I have a bit of insider knowledge in this area... As they say, I've "been there, done that, and got the t-shirt".

I'm fairly certain this was the result of a stupid user not following the rules. I don't think this was anything targeted. That person will be found, and an example will be made of them.

This is absolutely NOTHING like stuxnet. There's no danger of drones being remotely controlled via this virus.

RobertKaucher

Everyone wrote: »

A friend of mine asked me to weigh in on this the other day, as he knew I have a bit of insider knowledge in this area... As they say, I've "been there, done that, and got the t-shirt".

I'm fairly certain this was the result of a stupid user not following the rules. I don't think this was anything targeted. That person will be found, and an example will be made of them.

This is absolutely NOTHING like stuxnet. There's no danger of drones being remotely controlled via this virus.

As a disclaimer to what I am about to say - I do not have any hands-on knowledge of these systems. But I think one major area of danger is when we mistake a generalized system for proprietary, imbeded systems. Just as an example, take a specialized mobile device used for performing X function in a manufacturing environment sold by vendor Y as a part of their mega-ERP system. From the outside the mobile device is packaged to look like a completely proprietary device - but it runs Windows CE or Windows XP embeded. Now you have an unpatched system on your network that is, as far as you are concerned, a blackbox. From a security perspective it does not matter if this is a drone or a whatever as an attacker can compromise it and move laterally in the environment. So that sucks from a security perspective but itself is no big deal. It's typical. I've seen managed swithces with Linux based OS that were compromised and the attacker had no idea what he had owned. He thought it was a server and you could see in the logs he was running commands trying to figure out if it was a web server or what. This is likely the same sort of situation. The attacker was totally unaware of what he had compromised. This still inspire no confidence in me that the drones cannot be owned.

Combine the "virus" in question with this:

Insurgents Hack U.S. Drones - WSJ.com

Now we are starting to get to where PowerFool was going with his comments. Cumulative errors causing big problems. I'm not saying "OMG the sky is falling!!! The drones need to be taken out of the air!!! Or we will all die!!!" I think what wee are getting at here is that there are issues that need to be both acknoledged and addressed as the drones are too important for someone to be allowed to "just not follow the rules" and get rooted. It might not have been targeted this time...

MrAgent

One thing that that people fail to realize is that the drones are on a seperate network which is not connected to the internet in any shape or form. Now while the workstations they use to connect to the drones may be affected with a keylogger (probably by someone plugging in a usb device), it wont be transmitted anywhere, nor will remote control be possible by anyone outside of the agency providing the drone.

Everyone

MrAgent wrote: »

One thing that that people fail to realize is that the drones are on a seperate network which is not connected to the internet in any shape or form. Now while the workstations they use to connect to the drones may be affected with a keylogger (probably by someone plugging in a usb device), it wont be transmitted anywhere, nor will remote control be possible by anyone outside of the agency providing the drone.

^^ This.

There's too much of a disconnect in the way these things work. This was most likely a common virus that at least one person who has posted in this thread has dealt with at some point or another. Easy enough for an infection to happen due to stupid users, but not so easy for it to actually "phone home". The systems that control the drones are on isolated networks. A virus infecting it could steal data the same way it infected it (careless use of removable media), but it would never allow a person to remotely control a drone.

That being said, a targeted virus, if smart enough, could control a drone, but it would be severely limited. i.e. not allow it to take off, or crash it shortly after take off. While they are unmanned, they don't fly themselves. Without a human controlling them, they won't get very far. I said "THIS virus" for a reason.


Do you really think these issues aren't being acknowledge and addressed? I know from experience that they are, and "heads will roll". The moron who caused the infection will be punished, and so will the idiots who leaked the info to the media. Anyone who has access to the system at all is going to have to endure all sorts of retraining and briefings on how to prevent it from happening again.

It will happen again, just like it happens on EVERY network. Why? Because USERS are stupid. Just when you think you've beaten all the stupid out of your users, you have a brand new batch of stupid coming in and using your network.

RobertKaucher

MrAgent wrote: »

One thing that that people fail to realize is that the drones are on a seperate network which is not connected to the internet in any shape or form. Now while the workstations they use to connect to the drones may be affected with a keylogger (probably by someone plugging in a usb device), it wont be transmitted anywhere, nor will remote control be possible by anyone outside of the agency providing the drone.

If you can get the payload on to the system, you can get the data off eventually. If someone You are looking at this from a single angle of attack. Just because an accidental attack only partially worked does not mean somthing more sophisticated and targeted would not work. It was already demonstrated that insurgents were able to view the video feed from approaching drones, so to say that "it won't be transmitted anywhere" may not be ture. All I can can say is that I don't like it when I hear people say "Oh, such-and-such was not a big deal. It was an anomoly and will never happen again." As if the problem can just be ignored. Because it always happens again. I have too much experience in this field to EVER accept anyone's assurances that something "was a one off event".

My team and I are working on a data model right now and we have serious concerns about the validity of the data we are being asked for. When we expressed our concerns we were told "Oh, that never happens." Of course we found one instance when it did: "Oh, that was just a special case." And then another, and then a 3rd. When does a special case become un-special? If one guy plugged in a USB stick once, it likely happened other times as well. I know these systems are in highly secure environments; so I'm not really worried that we are going to see drones being taken over - but I will always play devil's advocate on these sorts of issues. I've just seen too much stupidity in my life.

RobertKaucher

Everyone wrote: »

Do you really think these issues aren't being acknowledge and addressed? I know from experience that they are, and "heads will roll". The moron who caused the infection will be punished, and so will the idiots who leaked the info to the media. Anyone who has access to the system at all is going to have to endure all sorts of retraining and briefings on how to prevent it from happening again.

Well, it's reached the "has-to-be-addressed" phase, hasn't it? You are not getting my point. I am certain it is being addressed now. But I am also certain that the behavior that caused this was occuring and known about before this infection and that it happened more than once. The fact that it was able to occur is bad in itself.
It's just like I said with teh SSL/TLS issue. Ignore, ignore, ignore until you have to deal with the consequences. This is what I don't like. I'm not saying it isn't being addressed; I'm complaining that it was not addressed until it had to be addressed due to this event.

Everyone wrote: »

It will happen again, just like it happens on EVERY network. Why? Because USERS are stupid. Just when you think you've beaten all the stupid out of your users, you have a brand new batch of stupid coming in and using your network.

Humans are stupid. The engineers are stupid, the developers are stupid, the users are stupid. How many times have you seen an application that has a button to "Destructively delete all your work" placed right next to the button to do some common task?
Designers, developers, and engineers unconsiously conspire to push users who are strapped for time into making errors. Look at this:
http://homepage.mac.com/bradster/iarchitect/images/aspack.gif
WTH? Clicking Open File does not immediately open a file. Clicking Compress does not immediately compress a file... But guess what "exit" does? Having a tab that does that is just stupid.
Here is a great example: http://www.baddesigns.com/starbucks.html
This
is why humans work together. We can catch each other's mistakes. But when stupid behavior is seen and not corrected around critical systems we end up with things like BEAST and military drones with keyloggers and Three Mile Island.
The design of everyday things - Donald A. Norman - Google Books
So don't think I believe these things are not being addressed or that I am being an alarmist and saying the drones are going to be hacked and blow up New York. What I am saying is it's not as hard to fix big problems as people think. But you have to do the work up frnt. It's easy to blame the users. Why was this guy even allowed to do whatever he did to get the infection?

Everyone

RobertKaucher wrote: »

Why was this guy even allowed to do whatever he did to get the infection?

What does being allowed have to do with it? Where does it say whoever was responsible was allowed to do it? People aren't allowed to do all sorts of things, but they still do them anyway.

I can assure you the issue isn't just now being addressed because of this, it was an issue that has been addressed over and over and over and over again. People still do things no matter how many times they're told not to.

I'll use a facility I work in without going into too much detail on it as an example. The entrance has several signs stating "No cell phone or electronic devices beyond this point." People are reminded via e-mails and routine briefings that they are NOT allowed to bring any electronic devices into the building. There is a spot in the man trap to empty your pockets and leave these things at before entering. There are cameras all over the place. Entry is controlled with 3 factors of identification.

Do you think all this keeps people from bringing their cell phones into the building? Nope! We catch people doing it all the time. So far it's always been unintentional. Too bad for the guy who couldn't remember to take his phone out and leave it behind before entering. Now his phone gets destroyed, and he loses his job.

These guys are bombarded with what they can and can't do on a regular basis. Someone always does it anyway, and you end up with these types of stories. If you read it, HBSS, which was a suite of McAfee products last time I had to touch it, picked it up. That is what is what was in place to catch the stupid mistakes that people make. It worked. So like I said, the issue of someone not following the rules will be READDRESSED. It's not like it's just coming up for the 1st time, it's just the first time YOU'VE heard of it.

This wasn't "OMG they're doing it wrong and so incredibly vulnerable!" that people are making it out to be. It's more like "Oh crap it finally happened to us, good thing we caught it."

There's one thing the Military does that I always wish I could still do in the Corporate sector, and that's shut down anything that doesn't comply with policies. I got to shut down entire networks due to people not taking care of identified vulnerabilities in a timely manner when I worked in the DoD. Oh you thought the message we sent you saying "Hey patch these systems" was just a suggestion? Well guess what, your network is now isolated. You have 0 access to anything outside your LAN until everything is brought to compliance. If you want services restored, you better prove you've fixed the problem. Have fun explaining to your superiors that they can't accomplish the mission because you didn't do your job.

Oh how I've wished I could do that in the Corporate world.

RobertKaucher

Everyone wrote: »

What does being allowed have to do with it? Where does it say whoever was responsible was allowed to do it? People aren't allowed to do all sorts of things, but they still do them anyway.

My fault. I mean allowed as in physically able/capable of the action. If it were a USB stick, for example, why is there a USB port on the PC?

Everyone wrote: »

I can assure you the issue isn't just now being addressed because of this, it was an issue that has been addressed over and over and over and over again. People still do things no matter how many times they're told not to.

With critical systems, and by that I mean systems capable of causing serious physical or financial harm - being told not to should not be an option. In many cases, granted not all, there should be built in safe guards that disallow destructive actions.

Everyone wrote: »

I'll use a facility I work in without going into too much detail on it as an example. The entrance has several signs stating "No cell phone or electronic devices beyond this point." People are reminded via e-mails and routine briefings that they are NOT allowed to bring any electronic devices into the building. There is a spot in the man trap to empty your pockets and leave these things at before entering. There are cameras all over the place. Entry is controlled with 3 factors of identification.
Do you think all this keeps people from bringing their cell phones into the building? Nope! We catch people doing it all the time. So far it's always been unintentional. Too bad for the guy who couldn't remember to take his phone out and leave it behind before entering. Now his phone gets destroyed, and he loses his job.

I totally understand your point here. But this isn't really the sort of thing I am talking about. With the exception of strip searching every individual there is not much you can do to prevent that. But you can physically disallow other actions when it comes to technology. I can't prevent an idiot who should be allowed to delete critical data from deleting the wrong record. But I can place the delete button some where to make accidental deletion of an arbitrary record impossible. I can't 100% prevent a meltdown in a reactor, but I also don't have to put the "meltdown core" lever right next to the "order pizza for lunch" lever. I can't prevent the user from crashing the drone into a mountain, but I can prevent users from inserting random USB sticks and trnasmitting a virus with some non-conductive apoxy or by removing the optical drive.

Everyone wrote: »

These guys are bombarded with what they can and can't do on a regular basis. Someone always does it anyway, and you end up with these types of stories. If you read it, HBSS, which was a suite of McAfee products last time I had to touch it, picked it up. That is what is what was in place to catch the stupid mistakes that people make. It worked. So like I said, the issue of someone not following the rules will be READDRESSED. It's not like it's just coming up for the 1st time, it's just the first time YOU'VE heard of it.

This wasn't "OMG they're doing it wrong and so incredibly vulnerable!" that people are making it out to be. It's more like "Oh crap it finally happened to us, good thing we caught it."

I agree and I am trying to be clear that I am not saying "OMG they are so vulnerable." My variation is "Oh crap it finally happened to us, I probably should have spoken up about this 6 months ago and maybe this wouldn't have ever become an issue." But no one wants to be the d-bag. Or in some cases, no one wants to do the work.

Everyone wrote: »

There's one thing the Military does that I always wish I could still do in the Corporate sector, and that's shut down anything that doesn't comply with policies. I got to shut down entire networks due to people not taking care of identified vulnerabilities in a timely manner when I worked in the DoD. Oh you thought the message we sent you saying "Hey patch these systems" was just a suggestion? Well guess what, your network is now isolated. You have 0 access to anything outside your LAN until everything is brought to compliance. If you want services restored, you better prove you've fixed the problem. Have fun explaining to your superiors that they can't accomplish the mission because you didn't do your job.

Oh how I've wished I could do that in the Corporate world.

YOU ARE HIRED!!! You are totally preaching to the choir. But it's all of us. I need my team members to remind me that I'm being an idiot when I say "That'll never happen." It always happens at some point - unless it physically cannot. But when I hear people say "the network is isolated - the data could never get off the network" I just don't believe it. Maybe not with this virus, but improbable and impossible are not the same things. Given persistance over time, the improbable will eventually occur. You know as well as I you cannot prevent all breaches. You can only minimize (the chances) and mitigate (the harm). Like I said, I don't have any experience with these systems. But people are people. And I would bet money that, to use the USB stick example, there was someone who knew people were plugging USB sticks into the system and could have said to someone else: "I know they are not supposed to be doing this but people are doing it and we need to make it so they physically cannot."

Everyone

Direct quote from the article:

Use of the drives is now severely restricted throughout the military. But the base at Creech was one of the exceptions, until the virus hit. Predator and Reaper crews use removable hard drives to load map updates and transport mission videos from one computer to another. The virus is believed to have spread through these removable drives. Drone units at other Air Force bases worldwide have now been ordered to stop their use.

When there is no network to transfer data between 2 systems, but you still have a need to get data from system A to system B, how do you do it? Removable media. Which is why there was an exception for these systems, and why it wasn't blocked on them like it is everywhere else. I can tell you that some sort of document was most likely signed by someone taking responsibility for this, as it was probably seen as an "Acceptable risk" upon implementation.

You can't always just disable everything as a blanket solution. People may have a legitimate need to do something a certain way. I'd say the chances were pretty well minimized, being isolated systems, in a secure facility. If you lock down the only method they currently have of transferring needed data between systems, how is the mission going to get accomplished?

With the USB stick example, these technical solutions you mention to attempt to block user stupidity are in place on 99% of the systems. Like I said, there have to be some exemptions to get the job done. Plus factor in that you have handfuls of people with permissions levels that would allow them to circumvent these technical solutions. Still a lot more secure than most anything else you'd see out there, but not 100% secure, nothing ever is.

People abuse exceptions when they find out about them, often because they think they are smart. "Oh I ran a virus scan on this USB stick at home, and it said it was clean, so it must be right? I should be able to plug it into this system at work that has no internet access so I can copy my MP3 files to it and listen to some music while I work. I know this system will let me even though the other ones won't, and I'm not really supposed to do it, but what harm is there in copying some music over to listen to?"