Re: [vox] what do they pay their staff for?!?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [vox] what do they pay their staff for?!?
On Tue, Mar 18, 2003 at 01:31:06PM -0800, Peter Jay Salzman wrote:
> warning: long email
> begin Samuel Merritt <firstname.lastname@example.org>
> > On Tue, Mar 18, 2003 at 12:26:41PM -0800, Peter Jay Salzman wrote:
> > [snip]
> > > today i read the news. the US army's webserver was hacked. the webdav
> > > hole is to blame.
> > >
> > >
> > > ok, let's forget the issue of why the army is using IIS to begin with.
> > > that's a whole different issue. i'm wondering who gets paid to sit
> > > around and administrate army webservers, and why it didn't occur to them
> > >
> > > "hey, wait a minute. WE'RE running IIS on win2k servers!"
> > >
> > > a website isn't a big deal, but considering we're on the brink of war,
> > > you'd think the administrators would be a bit more on the ball. who
> > > knows what's networked to what. heck, i don't have microsoft anything,
> > > and i still knew about the webdav hack.
> > Nothing of any importance to the military could get leaked via the web
> > servers. No classified computer can be connected to the Internet.
> > That's really important, so I'll say it again: No classified computer
> > can be connected to the Internet. If an Army computer is behind a
> > thousand different firewalls, but could conceivably send or receive a
> > packet from the Internet through those firewalls, the computer is not
> > classified.
> sam, you obviously were never a hacker.
> i was able to connect to MANY computers that weren't connected to the
> internet and which i didn't have a dialup for. i'll give you two
> examples, but you have to understand that i'm talking about hundreds of
> computers that i entered that were supposedly physically separated from
> any other networks or dialup.
> 1. phone switches: ESS 1, ESS 1a, ESS 2, ESS 3, ESS 4, ESS 5
> there were a bunch of phone switches i wanted to hack into down in
> bellsouth territory - florida, georgia, alabama, etc. through social
> engineering, i was able to discover that bellsouth had implemented very
> strict security -- no dialups to these computers. you couldn't reach
> them through any network. southern bell had SBDN - the southern bell
> data network. it was their main hub. the switches were taken off of
> SBDN. access was restricted to direct asynch lines.
> however, through reading i was able to discover that it was possible to
> send batch commands to switches through a little known and poorly
> documentated feature of a computer system named COSMOS which WAS
> connected to dialup. COSMOS was being used mostly as a database. i
> don't think work orders were going through COSMOS, so it was considered
> a low-security system. by breaking into a low-security system and
> making use of the batch processing system that was unused and probably
> not known about, i was able to send arbitrary commands to the highly
> secure phone switches. that was nearly as good as cracking into the
> no doubt the administrators thought very much like you. they were
> simply unaware of their vulnerability because they didn't think it was
> possible to access the systems. that kind of thinking is *deadly* for
> a system administrator who is concerned with security, and it should
> definitely be avoided by anyone serious about security.
> 2. loop operations maintenance system (LMOS)
> in new york they implemented the "ultimate" in secure computing.
> customer records held in LMOS were physically separated from the net.
> not only that, they made damn sure that LMOS was physically separated
> from other networked computers. no modems. no networks. nothing.
> however, i learned that they DID have a dialup system which was
> disconnected. i simply called the switchboard that maintained the
> backup dialup system and told her that a water main had burst and the
> flood at varrick street (where the CO was) had all access to LMOS
> knocked out. i then asked her if she could hook up the LMOS backup
> dialin service on her switchboard. she asked me how long it would take
> for normal LMOS operation to be restored. i told her "in a few hours"
> and said that i'd notify the next shift to disconnect the dialup. she
> left her shift, and that dialup was left up for almost a year.
> here again, the admins had good cause to feel secure. these systems
> were even more secure than phone switches i mentioned above. however,
> it was human frailty that i took advantage of. the reason why i had
> access to these computers for a year was because they were so
> overconfident that their systems were physically separated from any
> network (and they were!) that they failed to implement a procedure of
> what to do when a backup dialup line was established. overconfidence
> killed them.
Your stories all involve systems connected to the phone network, albeit
indirectly. That's the point I'm making: if A talks to B talks to C ...
talks to Z, who talks to the Internet or has a modem connected to any
phone line, A isn't a classified system.
Any real classified computing facility has people who continuously look
for connections of any sort between the classified net and the world.
Got a phone line? No modems allowed on any of your machines. Your hard
drive might get stored in a safe whenever you're not using it.
I'm sure that classified data can get out, but it really needs the help
of an insider. Any system that's not continually monitored doesn't
touch classified data.
It's not like there's this huge, amorphous blob of a "classified
network" somewhere; that'd be impossible to monitor. It's more like a
half-dozen systems and a switch here, a couple dozen over there, etc.
If there's any sort of connection at all from a public-facing web server
to a classified system, then many people are grossly incompetent.
> i won't bother mentioning all my other stories, because i'm pressed for
> time. so make no bones about it, sam. hackers are crafty. nothing is
> impossible. humans make mistakes. and to say "it's just embarrasing,
> and has no potential to be dangerous" is a mindset i wasn't expecting
> from you.
If it were anything but a military or classified network, I'd be right
there with you, wondering what damaging stuff they could get out.
I've worked with people who work on similar networks, though, and
they're ridiculously paranoid about this stuff. Personally, I'm quite
confident that the classified networks remain secure at all times.
> in addition, you don't seem to understand that non-classified information
> can still be extremely valuable. ask me about the anti-radiation
> missile code phrase we had in the air force sometime. that's an
> example of info which isn't classified, yet would throw a radar squadron
> into chaos for a day. that would be _deadly_ during an air engagement.
You're right; I didn't consider the value of nonclassified information.
In theory, anything that can cause the loss of life if known is
classified, but bad judgment calls can foul that up.
> even something stupid like whether a squadron is getting ready to
> deploy. that obviously can't be classified because then the entire
> squadron needs to have clearance. right? but certain squadrons have
> different "checkered flag areas". an enemy might have advance warning
> by knowing which squadron was ordered to go into the field. another
> example of non-classified info which is still vital.
Good call; again, I just didn't consider the value of nonclassified
stuff. I guess I should take my blinders off.
> so, not all "good" and "juicy" info is classified. and in both of my
> examples, it was complacency that killed security. complacency like
> > There are people who do nothing but go over classified networks, again
> > and again, to make sure that there is absolutely no path from them to
> > any unclassified network or system, including the Internet.
> and like saying...
> > Hence, there is no path to classified information from the Army's web
> > servers, and so if the web servers get hacked, it's embarassing, but
> > nothing more.
> this is so wrong, it's not even funny. this is *exactly* the kind of
> thinking i'd expect from the army webmbasters who let themselves get
> hacked despite the webdav thing being headlined yesterday.
> vox mailing list
OpenPGP key is at http://meat.andcheese.org/~spam/spam_at_andcheese_dot_org.asc
Information about PGP can be found at http://www.mindspring.com/~aegreene/pgp/
Description: PGP signature