[vox] what do they pay their staff for?!?

Peter Jay Salzman vox@lists.lugod.org
Tue, 18 Mar 2003 13:31:06 -0800


warning: long email

begin Samuel Merritt <spam@andcheese.org> 
> On Tue, Mar 18, 2003 at 12:26:41PM -0800, Peter Jay Salzman wrote:
> [snip]
> > today i read the news.  the US army's webserver was hacked.  the webdav
> > hole is to blame.
> > 
> > 
> > ok, let's forget the issue of why the army is using IIS to begin with.
> > that's a whole different issue.  i'm wondering who gets paid to sit
> > around and administrate army webservers, and why it didn't occur to them
> > 
> >    "hey, wait a minute.  WE'RE running IIS on win2k servers!"
> > 
> > a website isn't a big deal, but considering we're on the brink of war,
> > you'd think the administrators would be a bit more on the ball.  who
> > knows what's networked to what.  heck, i don't have microsoft anything,
> > and i still knew about the webdav hack.
> 
> Nothing of any importance to the military could get leaked via the web
> servers. No classified computer can be connected to the Internet. 
> 
> That's really important, so I'll say it again: No classified computer
> can be connected to the Internet. If an Army computer is behind a
> thousand different firewalls, but could conceivably send or receive a
> packet from the Internet through those firewalls, the computer is not
> classified.

sam, you obviously were never a hacker.


i was able to connect to MANY computers that weren't connected to the
internet and which i didn't have a dialup for.   i'll give you two
examples, but you have to understand that i'm talking about hundreds of
computers that i entered that were supposedly physically separated from
any other networks or dialup.


1. phone switches: ESS 1, ESS 1a, ESS 2, ESS 3, ESS 4, ESS 5

there were a bunch of phone switches i wanted to hack into down in
bellsouth territory - florida, georgia, alabama, etc.  through social
engineering, i was able to discover that bellsouth had implemented very
strict security -- no dialups to these computers.  you couldn't reach
them through any network.   southern bell had SBDN - the southern bell
data network.  it was their main hub.  the switches were taken off of
SBDN.   access was restricted to direct asynch lines.

however, through reading i was able to discover that it was possible to
send batch commands to switches through a little known and poorly
documentated feature of a computer system named COSMOS which WAS
connected to dialup.  COSMOS was being used mostly as a database.  i
don't think work orders were going through COSMOS, so it was considered
a low-security system.   by breaking into a low-security system and
making use of the batch processing system that was unused and probably
not known about, i was able to send arbitrary commands to the highly
secure phone switches.  that was nearly as good as cracking into the
switches.

no doubt the administrators thought very much like you.  they were
simply unaware of their vulnerability because they didn't think it was
possible to access the systems.   that kind of thinking is *deadly* for
a system administrator who is concerned with security, and it should
definitely be avoided by anyone serious about security.



2. loop operations maintenance system (LMOS)

in new york they implemented the "ultimate" in secure computing.
customer records held in LMOS were physically separated from the net.
not only that, they made damn sure that LMOS was physically separated
from other networked computers.   no modems.  no networks.  nothing.

however, i learned that they DID have a dialup system which was
disconnected.  i simply called the switchboard that maintained the
backup dialup system and told her that a water main had burst and the
flood at varrick street (where the CO was) had all access to LMOS
knocked out.   i then asked her if she could hook up the LMOS backup
dialin service on her switchboard.   she asked me how long it would take
for normal LMOS operation to be restored.  i told her "in a few hours"
and said that i'd notify the next shift to disconnect the dialup.  she
left her shift, and that dialup was left up for almost a year.

here again, the admins had good cause to feel secure.  these systems
were even more secure than phone switches i mentioned above.  however,
it was human frailty that i took advantage of.  the reason why i had
access to these computers for a year was because they were so
overconfident that their systems were physically separated from any
network (and they were!) that they failed to implement a procedure of
what to do when a backup dialup line was established.  overconfidence
killed them.




i won't bother mentioning all my other stories, because i'm pressed for
time.  so make no bones about it, sam.  hackers are crafty.  nothing is
impossible.  humans make mistakes.  and to say "it's just embarrasing,
and has no potential to be dangerous" is a mindset i wasn't expecting
from you.

in addition, you don't seem to understand that non-classified information
can still be extremely valuable.   ask me about the anti-radiation
missile code phrase we had in the air force sometime.   that's an
example of info which isn't classified, yet would throw a radar squadron
into chaos for a day.  that would be _deadly_ during an air engagement.

even something stupid like whether a squadron is getting ready to
deploy.  that obviously can't be classified because then the entire
squadron needs to have clearance.  right?   but certain squadrons have
different "checkered flag areas".   an enemy might have advance warning
by knowing which squadron was ordered to go into the field.   another
example of non-classified info which is still vital.

so, not all "good" and "juicy" info is classified.  and in both of my
examples, it was complacency that killed security.  complacency like
saying...

> There are people who do nothing but go over classified networks, again
> and again, to make sure that there is absolutely no path from them to
> any unclassified network or system, including the Internet. 
 
and like saying...

> Hence, there is no path to classified information from the Army's web
> servers, and so if the web servers get hacked, it's embarassing, but
> nothing more. 

this is so wrong, it's not even funny.   this is *exactly* the kind of
thinking i'd expect from the army webmbasters who let themselves get
hacked despite the webdav thing being headlined yesterday.

pete