[Cryptography] Cyber Command - we have nothing to fear, but...
ianG
iang at iang.org
Mon Feb 22 18:51:57 EST 2016
http://malwarejake.blogspot.co.uk/2016/02/a-tale-of-idiots-and-red-tape.html
... Most examples of idiocracy there are classified and can't be blogged
about, but to illustrate how truly bad the problems are, let me share an
unclassified story of idiots and red tape.
A senior network exploitation operator noticed one day that the
organization had deployed a large number of devices on an unclassified
network. He said to himself:
Wow - I know our targets frequently misconfigure
these devices and leave default services enabled.
I wonder if our contract administrators staffed
by the lowest bidder have done this too?
The operator decided to check, but realized the pen testing a DoD
network without authorization could be a criminal offense. He's a smart
guy so he didn't penetration test anything. He simply walked up to the
device and started typing at the keypad. Just be looking at options on
the on-screen display, he confirmed that default services (including an
incredibly insecure embedded HTTP server) were enabled.
The operator then emailed IT to let them know. IT first said that the
entire system was configured securely and he was wrong. HTTP services
were in fact disabled they said. So he opened up a web browser on his
system and navigated to the web page (which did not require
authentication). The web server would have accepted default credentials
that would have given him additional access. The operator knew the
default passwords since he used them to regularly hack others (with
authorization). But he stopped short of logging in, knowing that this
would be a big deal. IT summarily ignored him and simply stopped
answering emails.
When IT ignored him, he emailed security. Rather than security
contacting IT to address the vulnerabilities in Internet connected DoD
systems, they opened up an investigation into the operator's actions.
Security noted in their report that connecting to a web server
officially involves making a TCP connection, which is sort of
technically a port scan. And port scanning sounds a lot like hacking.
Oh yeah, you can see where this is going. This senior CNE operator who
hacks other nation-states for a living found a glaring vulnerability
Cyber Command/NSA's own infrastructure. They should have given this guy
a medal.
But yeah, he didn't get a medal. Instead he got a reprimand. A written
f*cking reprimand. And that was the beginning of the end for him. He
started looking for a new job and no longer works for them. He was one
of the best operators I've ever had the pleasure of working with.
So go ahead and tell me all about how Cyber Command rewards creativity,
problem solving and outside the box thinking. But meet me in a SCIF to
do it. I've got a hundred more stories like this that I can't share in
open forum. This didn't happen a decade ago, it was less than two years
ago. Are things getting better? Maybe. But according to the people I'm
still talking to they are changing at a glacial pace (if at all).
...
More information about the cryptography
mailing list