[vox] what do they pay their staff for?!?

Samuel Merritt vox@lists.lugod.org
Tue, 18 Mar 2003 15:30:21 -0800 

--ZmZU9S7l/XJx5q9b
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Mar 18, 2003 at 01:31:06PM -0800, Peter Jay Salzman wrote:
> warning: long email
>=20
> begin Samuel Merritt <spam@andcheese.org>=20
> > On Tue, Mar 18, 2003 at 12:26:41PM -0800, Peter Jay Salzman wrote:
> > [snip]
> > > today i read the news.  the US army's webserver was hacked.  the webd=
av
> > > hole is to blame.
> > >=20
> > >=20
> > > ok, let's forget the issue of why the army is using IIS to begin with.
> > > that's a whole different issue.  i'm wondering who gets paid to sit
> > > around and administrate army webservers, and why it didn't occur to t=
hem
> > >=20
> > >    "hey, wait a minute.  WE'RE running IIS on win2k servers!"
> > >=20
> > > a website isn't a big deal, but considering we're on the brink of war,
> > > you'd think the administrators would be a bit more on the ball.  who
> > > knows what's networked to what.  heck, i don't have microsoft anythin=
g,
> > > and i still knew about the webdav hack.
> >=20
> > Nothing of any importance to the military could get leaked via the web
> > servers. No classified computer can be connected to the Internet.=20
> >=20
> > That's really important, so I'll say it again: No classified computer
> > can be connected to the Internet. If an Army computer is behind a
> > thousand different firewalls, but could conceivably send or receive a
> > packet from the Internet through those firewalls, the computer is not
> > classified.
>=20
> sam, you obviously were never a hacker.
>=20
>=20
> i was able to connect to MANY computers that weren't connected to the
> internet and which i didn't have a dialup for.   i'll give you two
> examples, but you have to understand that i'm talking about hundreds of
> computers that i entered that were supposedly physically separated from
> any other networks or dialup.
>=20
>=20
> 1. phone switches: ESS 1, ESS 1a, ESS 2, ESS 3, ESS 4, ESS 5
>=20
> there were a bunch of phone switches i wanted to hack into down in
> bellsouth territory - florida, georgia, alabama, etc.  through social
> engineering, i was able to discover that bellsouth had implemented very
> strict security -- no dialups to these computers.  you couldn't reach
> them through any network.   southern bell had SBDN - the southern bell
> data network.  it was their main hub.  the switches were taken off of
> SBDN.   access was restricted to direct asynch lines.
>=20
> however, through reading i was able to discover that it was possible to
> send batch commands to switches through a little known and poorly
> documentated feature of a computer system named COSMOS which WAS
> connected to dialup.  COSMOS was being used mostly as a database.  i
> don't think work orders were going through COSMOS, so it was considered
> a low-security system.   by breaking into a low-security system and
> making use of the batch processing system that was unused and probably
> not known about, i was able to send arbitrary commands to the highly
> secure phone switches.  that was nearly as good as cracking into the
> switches.
>=20
> no doubt the administrators thought very much like you.  they were
> simply unaware of their vulnerability because they didn't think it was
> possible to access the systems.   that kind of thinking is *deadly* for
> a system administrator who is concerned with security, and it should
> definitely be avoided by anyone serious about security.
>=20
>=20
>=20
> 2. loop operations maintenance system (LMOS)
>=20
> in new york they implemented the "ultimate" in secure computing.
> customer records held in LMOS were physically separated from the net.
> not only that, they made damn sure that LMOS was physically separated
> from other networked computers.   no modems.  no networks.  nothing.
>=20
> however, i learned that they DID have a dialup system which was
> disconnected.  i simply called the switchboard that maintained the
> backup dialup system and told her that a water main had burst and the
> flood at varrick street (where the CO was) had all access to LMOS
> knocked out.   i then asked her if she could hook up the LMOS backup
> dialin service on her switchboard.   she asked me how long it would take
> for normal LMOS operation to be restored.  i told her "in a few hours"
> and said that i'd notify the next shift to disconnect the dialup.  she
> left her shift, and that dialup was left up for almost a year.
>=20
> here again, the admins had good cause to feel secure.  these systems
> were even more secure than phone switches i mentioned above.  however,
> it was human frailty that i took advantage of.  the reason why i had
> access to these computers for a year was because they were so
> overconfident that their systems were physically separated from any
> network (and they were!) that they failed to implement a procedure of
> what to do when a backup dialup line was established.  overconfidence
> killed them.
=20
Your stories all involve systems connected to the phone network, albeit
indirectly. That's the point I'm making: if A talks to B talks to C ...
talks to Z, who talks to the Internet or has a modem connected to any
phone line, A isn't a classified system.=20

Any real classified computing facility has people who continuously look
for connections of any sort between the classified net and the world.
Got a phone line? No modems allowed on any of your machines. Your hard
drive might get stored in a safe whenever you're not using it.=20

I'm sure that classified data can get out, but it really needs the help
of an insider. Any system that's not continually monitored doesn't
touch classified data.=20

It's not like there's this huge, amorphous blob of a "classified
network" somewhere; that'd be impossible to monitor. It's more like a
half-dozen systems and a switch here, a couple dozen over there, etc.=20

If there's any sort of connection at all from a public-facing web server
to a classified system, then many people are grossly incompetent.=20

> i won't bother mentioning all my other stories, because i'm pressed for
> time.  so make no bones about it, sam.  hackers are crafty.  nothing is
> impossible.  humans make mistakes.  and to say "it's just embarrasing,
> and has no potential to be dangerous" is a mindset i wasn't expecting
> from you.

If it were anything but a military or classified network, I'd be right
there with you, wondering what damaging stuff they could get out.=20

I've worked with people who work on similar networks, though, and
they're ridiculously paranoid about this stuff. Personally, I'm quite
confident that the classified networks remain secure at all times.=20

> in addition, you don't seem to understand that non-classified information
> can still be extremely valuable.   ask me about the anti-radiation
> missile code phrase we had in the air force sometime.   that's an
> example of info which isn't classified, yet would throw a radar squadron
> into chaos for a day.  that would be _deadly_ during an air engagement.

You're right; I didn't consider the value of nonclassified information.
In theory, anything that can cause the loss of life if known is
classified, but bad judgment calls can foul that up.=20

Mea culpa.=20
=20
> even something stupid like whether a squadron is getting ready to
> deploy.  that obviously can't be classified because then the entire
> squadron needs to have clearance.  right?   but certain squadrons have
> different "checkered flag areas".   an enemy might have advance warning
> by knowing which squadron was ordered to go into the field.   another
> example of non-classified info which is still vital.

Good call; again, I just didn't consider the value of nonclassified
stuff. I guess I should take my blinders off.=20

> so, not all "good" and "juicy" info is classified.  and in both of my
> examples, it was complacency that killed security.  complacency like
> saying...
>=20
> > There are people who do nothing but go over classified networks, again
> > and again, to make sure that there is absolutely no path from them to
> > any unclassified network or system, including the Internet.=20
> =20
> and like saying...
>=20
> > Hence, there is no path to classified information from the Army's web
> > servers, and so if the web servers get hacked, it's embarassing, but
> > nothing more.=20
>=20
> this is so wrong, it's not even funny.   this is *exactly* the kind of
> thinking i'd expect from the army webmbasters who let themselves get
> hacked despite the webdav thing being headlined yesterday.
>=20
> pete
> _______________________________________________
> vox mailing list
> vox@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox

--=20
Samuel Merritt
OpenPGP key is at http://meat.andcheese.org/~spam/spam_at_andcheese_dot_org=
.asc
Information about PGP can be found at http://www.mindspring.com/~aegreene/p=
gp/

--ZmZU9S7l/XJx5q9b
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE+d6wNW3tuPJ1t7wURApojAJ4k3PeMj0EVWl1NeN4TLE8KeZrDOwCeNn8U
uDYakzqIGSh0q801QrwHxlQ=
=4Zxt
-----END PGP SIGNATURE-----

--ZmZU9S7l/XJx5q9b--