[Cryptography] Cyber Command - we have nothing to fear, but...

Mon Feb 22 18:51:57 EST 2016

http://malwarejake.blogspot.co.uk/2016/02/a-tale-of-idiots-and-red-tape.html

... Most examples of idiocracy there are classified and can't be blogged 
about, but to illustrate how truly bad the problems are, let me share an 
unclassified story of idiots and red tape.

A senior network exploitation operator noticed one day that the 
organization had deployed a large number of devices on an unclassified 
network.  He said to himself:

     Wow - I know our targets frequently misconfigure
     these devices and leave default services enabled.
     I wonder if our contract administrators staffed
     by the lowest bidder have done this too?

The operator decided to check, but realized the pen testing a DoD 
network without authorization could be a criminal offense.  He's a smart 
guy so he didn't penetration test anything.  He simply walked up to the 
device and started typing at the keypad.  Just be looking at options on 
the on-screen display, he confirmed that default services (including an 
incredibly insecure embedded HTTP server) were enabled.

The operator then emailed IT to let them know.  IT first said that the 
entire system was configured securely and he was wrong.  HTTP services 
were in fact disabled they said.  So he opened up a web browser on his 
system and navigated to the web page (which did not require 
authentication).  The web server would have accepted default credentials 
that would have given him additional access.  The operator knew the 
default passwords since he used them to regularly hack others (with 
authorization).  But he stopped short of logging in, knowing that this 
would be a big deal.  IT summarily ignored him and simply stopped 
answering emails.

When IT ignored him, he emailed security.  Rather than security 
contacting IT to address the vulnerabilities in Internet connected DoD 
systems, they opened up an investigation into the operator's actions. 
Security noted in their report that connecting to a web server 
officially involves making a TCP connection, which is sort of 
technically a port scan.  And port scanning sounds a lot like hacking. 
Oh yeah, you can see where this is going.  This senior CNE operator who 
hacks other nation-states for a living found a glaring vulnerability 
Cyber Command/NSA's own infrastructure.  They should have given this guy 
a medal.

But yeah, he didn't get a medal.  Instead he got a reprimand.  A written 
f*cking reprimand.  And that was the beginning of the end for him.  He 
started looking for a new job and no longer works for them.  He was one 
of the best operators I've ever had the pleasure of working with.

So go ahead and tell me all about how Cyber Command rewards creativity, 
problem solving and outside the box thinking. But meet me in a SCIF to 
do it.  I've got a hundred more stories like this that I can't share in 
open forum.  This didn't happen a decade ago, it was less than two years 
ago.  Are things getting better? Maybe. But according to the people I'm 
still talking to they are changing at a glacial pace (if at all).

...