Defense Department Computers Vulnerable To Attack

From ricardo dominguez <rdom@thing.net>
Date Sun, 10 Dec 2000 11:34:53 -0500


[: hacktivism :]

12/08/00
     Defense Department Computers Vulnerable To
     Attack
     By Walter Pincus, Washington Post
     WASHINGTON, D.C., U.S.A.,
     08 Dec 2000, 2:58 PM CST

     The Defense Department suffered more than 22,000 electronic attacks on its
     computer systems in 1999 and about 14,000 in the first seven months of this
     year, the Pentagon's chief information officer said.

     The vast majority of those attacks were either harmless or caused only petty
     harassment, but in a few cases, hackers believed to be working for foreign
     countries have broken into unclassified computer systems and downloaded
     large amounts of information, said Arthur Money, the assistant secretary of
     defense for command, control, communications and intelligence.

     Pentagon officials said that, to the best of their knowledge, the Department of
     Defense's classified computer systems have not been breached.

     The DoD was able to make an accurate count of the number of attacks for the
     first time last year, because at the end of 1998 it installed devices to monitor
     attempts by hackers to penetrate its computers.

     In 1999, the Pentagon detected 22,144 attempts to probe, scan, hack into,
     infect with viruses or disable its computers. About 3 percent (or more than
     600) of those incidents caused temporary shutdowns or other damage. About 1
     percent (or roughly 200) were intrusions by hackers who managed to break into
     unclassified computer systems.

     So far this year, officials said, the number of attacks is up approximately 10
     percent, and the percentage that have caused damage or resulted in intrusions
     is about the same.

     In an interview, Money predicted that the number of attacks is only "going to
     increase" in the future.

     "A majority of the attacks [that cause damage] come through vulnerabilities in
     existing software, most of it from commercial companies" such as Microsoft,
     Netscape and Lotus, he said.

     Although the Pentagon is "putting more and more effort into testing"
     off-the-shelf software and is working with major software companies in the
     design stages, Money added, "there is hardly any way to prevent"
     vulnerabilities from creeping into the millions of lines of commercial computer
     code written not only in the United States, but also in India, Ireland, Israel and
     other countries.

     "On a lot of these [programs], we don't know where the code is written," he
     said.

     Many of the vulnerabilities are unintentional, but some appear to be "trapdoors"
     deliberately left by software writers to allow intrusions, and others are
     "backdoors" that were designed to help systems administrators but have been
     "discovered by kids and hackers and used to harass the systems," a Pentagon
     official said, speaking on condition of anonymity.

     As a result, the official added, "we are not buying such off-the-shelf products
     in our most sensitive systems."

     The Pentagon's cyber security problem is enormous. The Defense Department
     has roughly 10,000 computer systems and 1.5 million individual computers.
     About 2,000 of the systems are "mission-critical," meaning that they "must
     work for [the DoD] to successfully execute its myriad missions," Money told a
     House Armed Services subcommittee in March.

     "We are probed on a daily basis by those who are trying, or planning, to disrupt
     our nation's military capabilities," he said, adding that the Pentagon has
     discovered "a few nation state operatives doing major downloadings of
     unclassified materials."

     In August, Congress put an additional $163 million for computer security into
     the fiscal 2001 defense appropriations bill. But the House-Senate conferees'
     report on the bill warned that the new funds "will be of limited value if the
     software used by the department has been designed with intentional
     weaknesses to permit future unauthorized access."

     The conference report directed the Pentagon "to carefully consider the origin
     of all software used in developing or upgrading information technology or
     national security systems."

     The "seminal event" that awakened the Pentagon to its computer security
     problems occurred in February 1998, Money said, when some California youths,
     under the direction of an Israeli, took advantage of a "well-known vulnerability
     in Sun software" to break into the Solaris operating system used by several
     Pentagon agencies.

     Those attacks, which came as preparations were underway for a possible
     military operation against Iraq, "were widespread, systematic and showed a
     pattern that indicated they might be the preparation for a coordinated attack
     on the defense information infrastructure," then Deputy Defense Secretary
     John J. Hamre told Congress in 1999.

     Military computer administrators had been warned about the weakness that the
     California hackers exploited, but many had failed to heed the warning and
     patch their systems, Money said.


[: hacktivism :]
[: for unsubscribe instructions or list info consult the list FAQ :]
[: http://hacktivism.tao.ca/ :]