Wednesday, August 25, 2010
SIPRNet and JWICS were Massively Infected in 2008
Wired has a story about how the US military's secure networks were compromised by a known worm from 2007 via USB thumb drives in 2008. Here are some thoughts below.
Suggested solutions to the military's network security problems:
1. Quit issuing Windows laptops to people who use secret military networks. Make them use Linux (Ubuntu/RedHat), Apple OS, FreeBSD, anything but Windows. That cheap operating system can be replaced by an even cheaper one that is not as vulnerable and the government has people who can make the OS secure and as easy to use as Windows.
2. If you can't stop people from using Windows, then issue them a CD like the F-Secure Rescue CD. Customize the CD so that it writes a log file to the hard drive after it is used every time. Have a Windows login script running on sensitive networks such that a query is made for the presence of the file and a check is performed that the hard drive was scanned within the last 24 hours or some defined time interval. If the results are negative, access is only allowed for the F-Secure CD to download up-to-date virus definitions for scanning. The user is denied access until the system is checked and verified. It won't entirely stop infections from occurring since a virus or worm that is not in the passive scanner's database will not be discovered, but it will stop of lot of trivial and known attacks.
3. Do not have your secret military network directly connected to the wider Internet.
4. Run honeypots on the network. Any IP address that connects to them and uploads a worm should be immediately knocked off the sensitive network (DHCP license revoked or switch port turned off. Yes, the technology exists.) A message should be sent to the infected system telling the user to contact IT Security immediately.
5. Diversify your servers and harden them. Have a separate Windows domain for laptop systems to authenticate to as an additional safeguard to protect your Windows DCs on the main secure networks. Use Samba or a commercial solution that uses Samba for the domain controller if possible. That way, if the domain controllers are compromised on the laptop domain, you only have to rebuild those domain controllers and not your primary domain controllers on the main networks. I have seen a very secure network compromised by one compromised laptop and the only fix was to rebuild the domain controllers and change everyone's passwords. That's a lot of work for one slip up.
Links:
1. F-Secure Rescue CD
2. Adaptive Network Countermeasures
3. Adaptive Network Countermeasures Slide Presentation
4. Samba
Suggested solutions to the military's network security problems:
1. Quit issuing Windows laptops to people who use secret military networks. Make them use Linux (Ubuntu/RedHat), Apple OS, FreeBSD, anything but Windows. That cheap operating system can be replaced by an even cheaper one that is not as vulnerable and the government has people who can make the OS secure and as easy to use as Windows.
2. If you can't stop people from using Windows, then issue them a CD like the F-Secure Rescue CD. Customize the CD so that it writes a log file to the hard drive after it is used every time. Have a Windows login script running on sensitive networks such that a query is made for the presence of the file and a check is performed that the hard drive was scanned within the last 24 hours or some defined time interval. If the results are negative, access is only allowed for the F-Secure CD to download up-to-date virus definitions for scanning. The user is denied access until the system is checked and verified. It won't entirely stop infections from occurring since a virus or worm that is not in the passive scanner's database will not be discovered, but it will stop of lot of trivial and known attacks.
3. Do not have your secret military network directly connected to the wider Internet.
4. Run honeypots on the network. Any IP address that connects to them and uploads a worm should be immediately knocked off the sensitive network (DHCP license revoked or switch port turned off. Yes, the technology exists.) A message should be sent to the infected system telling the user to contact IT Security immediately.
5. Diversify your servers and harden them. Have a separate Windows domain for laptop systems to authenticate to as an additional safeguard to protect your Windows DCs on the main secure networks. Use Samba or a commercial solution that uses Samba for the domain controller if possible. That way, if the domain controllers are compromised on the laptop domain, you only have to rebuild those domain controllers and not your primary domain controllers on the main networks. I have seen a very secure network compromised by one compromised laptop and the only fix was to rebuild the domain controllers and change everyone's passwords. That's a lot of work for one slip up.
Links:
1. F-Secure Rescue CD
2. Adaptive Network Countermeasures
3. Adaptive Network Countermeasures Slide Presentation
4. Samba
Labels: SIPRnet JWICS lax IT Security