“We keep wiping it off, and it keeps coming back,” says a source familiar with the network infection, one of three that told Danger Room about the virus. “We think it’s benign. But we just don’t know.”
C'mon. You're the military. "It just keeps coming back?" So you decide to do a press release about it? Please.
I wouldn't have whined like that when I was de-malwareing neighbourhood PCs at age 13, I would have fixed it. If I can successfully keep malware off the PCs of middle aged parents with teenaged children, then the government capable of developing and operating fleets of unmanned military drones can certainly isolate a network and disable the USB bus.
There is definitely some high level shit going on right here. I doubt we'll know about it for many years, if ever.
If they are not smart enough to keep malware off of what should be the most secure systems around, perhaps they shouldn't be building the fricking FLYING REMOTE-CONTROL DEATH MACHINES for a while, until they can figure out the basics.
But you are glossing over a LOT of detail here. The military doesn't work like Apple: they don't design, oversee, or directly control the construction of the hardware they use. And they shouldn't - the government is woefully inefficient at building products, that's what corporations are good at.
Here's the situation:
- The Air Force contracts General Atomics Aeronautical Systems to build UAVs. You can bet your ass the contract covers things like "protected from malware"
- General Atomics contracts out the different components of the UAV. No device worth $150M gets built by one company alone. The radar, the metal shell, the inside components, and each component of the software are all made by different companies.
- Each component is meticulously specified and rigorously tested. The makers of a component is contractually liable if they fuck up, giving them an incentive to do it slow & right. That's why it's so damn expensive.
- General Atomics puts the pieces together into the final product and delivers it to the Air Force after another round of rigorous testing.
- A team of guys in the Air Force are trained on operating the UAVs to deploy on missions.
So to say something like "Ugh, military, don't deploy UAVs if you can't keep it virus free!" is an oversimplification. These are extremely complex machines, with highly specialized embedded software, meant to deliver explodey things with extreme precision, while being operated from very far away. You can't just slap Norton on these things and call it a day.
And if you think this little press release means anything to actual national security, you have much to learn about our secret war against terrorism.
they are just wined and dined by the contractor when they should be directly overseeing and controlling.
>And they shouldn't - the government is woefully inefficient at building products, that's what corporations are good at.
Starting at some architectural level, many DoD systems is a just one-off system, not a product.
There are actually very strict controls on how much government personnel are allowed to accept from contractors. IIRC, the limit is something like $20-$50 per year in gifts. When contractors host large events with catered lunches, they put out bowls or some other sort of receptacle so that government personnel can pay for their lunch, otherwise it would count towards that annual limit.
Enforcement at the level of "you didn't pay for that six-inch sub and can of coke" is not really practical, but quite a few government personnel have gone to jail in recent memory for accepting more lavish gifts from contractors.
Now, if you send your lobbyists to buy expensive meals for legislators (you know, the ones who actually decide how the money gets spent) and write them big checks, that's generally perfectly legal.
I suspect that under it all, you'll find an unpatched XP or even Win2000.
As far as I know, SSDs are not allowed, only magnetic drives.
And, have you seen all the computers necessary to carry out a drone operation? I guarantee you not all of them are running an RTOS. Probably not even all of them onboard the drone.
Of course. There is Windows NT for _that_ :
No, you can't - you have to slap Symantec Critical System Protection on them. /Then/ you can call it a day.
They're handicapped by a need AND compulsion to use contractors for everything. Actual government employees didn't build drones; they were all developed and in many cases largely maintained and even operated by private contractors, working to government requirements (which themselves are structured to make the contractors inefficient, compared to normal commercial companies). Same thing with networks.
It's not that hard.
But anyway, my point was that I don't for a second believe that they're this incompetent, there must be other factors at play.
Let me remind you that this computer can fire missiles at people, and has a potentially unlimited budget.
The costs of good vs. bad IT security are actually not terribly significant in the context of the overall defense budget, either.
It's really a failure of process and vision, not resource constraint. Government IT and IT security used to lead industry; now consumers especially and even enterprises are more advanced than government.
The thing which makes it hard is humans, politics, and economics -- there is a huge amount of CYA with respect to vendor choice (hence, they're a huge Microsoft/Cisco shop), lots of little fiefdoms, an "up or out" promotion policy combined with people being in leadership roles for short periods (with minimal prior background), and lack of real accountability.
The Microsoft-ness isn't enough to kill them on its own; look at the Israeli military, which is also heavily Microsoft based, and has world-class computer security.
If you have a good engineer or a great engineer but any kind of bureaucracy, yes, it's near impossible.
Use-after-free vulnerability in Microsoft Internet Explorer 6, 6 SP1, 7, and 8 on Windows 2000 SP4; Windows XP SP2 and SP3; Windows Server 2003 SP2; Windows Vista Gold, SP1, and SP2; Windows Server 2008 Gold, SP2, and R2; and Windows 7
"Microsoft thanks the following companies for working with us and for providing details of limited, targeted attacks against customers of Internet Explorer 6:
Google Inc. and MANDIANT;
French government CSIRT (CERTA)"
A requirement that all components of the TCB be FIPS 140-2 level 3+ for anything which is routinely used in combat operations would please me, I think. Right now that's just for the crypto modules themselves.
If it's good enough for the NHS, it's good enough for uncle sam.
That said, i'm not in charge of physical security of anything. I'm sure the guys with missile launching computers figure anybody that can get to the secure terminal is trustworthy.
Sure, it's hard. But it's the fucking military. Figure it out.
Other countries hack US war machines with targeted virus: man, I couldda stopped that shit easy.
Such as: they discovered and disabled the virus but are still sending fake info over the virus's communication channel and want the Chinese/Iran/whoever to think it is still working?
That sounds much better than a technically incompetent military with dangerous toys.
The military deny this is happening, the info is from somebody leaking to the media - probably frustrated with what is going on.
Presumably the default thing to do under these circumstances would be to shut up about it, so the fact that they're broadcasting it to the whole world must mean something. In any case I wouldn't take any of the details at face value -- e.g. do they really not have any idea where it came from, or are they feigning ignorance in the hopes of lulling their opponent into a false sense of security?
> “We keep wiping it off, and it keeps coming back,” says a source familiar with the network infection, one of three that told Danger Room about the virus. “We think it’s benign. But we just don’t know.”
The end of the article says they asked for an official response and were stonewalled.
> The Air Force declined to comment directly on the virus. “We generally do not discuss specific vulnerabilities, threats, or responses to our computer networks, since that helps people looking to exploit or attack our systems to refine their approach,” says Lt. Col. Tadd Sholtis, a spokesman for Air Combat Command, which oversees the drones and all other Air Force tactical aircraft. “We invest a lot in protecting and monitoring our systems to counter threats and ensure security, which includes a comprehensive response to viruses, worms, and other malware we discover.”
'The military' doesn't want anyone to know; some individuals inside do.
I certainly didn't intend my reply as a counterpoint to the "if it's not official it's a leak" point.
Nope, I don't think the USAF leaks anything like this unless it means to.
I think once something hits a large enough scale, they announce it; it's the easiest way to communicate to the affected DoD community (military, contractors, etc.), at which point it is basically public knowledge.
The official comment about the incident from the story is:
“We generally do not discuss specific vulnerabilities, threats, or responses to our computer networks, since that helps people looking to exploit or attack our systems to refine their approach,” says Lt. Col. Tadd Sholtis, a spokesman for Air Combat Command, which oversees the drones and all other Air Force tactical aircraft. “We invest a lot in protecting and monitoring our systems to counter threats and ensure security, which includes a comprehensive response to viruses, worms, and other malware we discover.”
It's Windows. Very little Unix anywhere in the DoD over the past few years on new systems; it's mainly legacy, or embedded in products they purchase. There are definitely some Unix server deployments within DoD even now, but they're few and far between.
Blue Screen of Death and all.
My guess is it's not the drones themselves running Windows, but the consoles used to communicate with the drones. It makes sense. AF guy gets to work, plugs in his USB drive filled with music and pulls up the drone control program...
Though, now that I think about it, I would be disappointed, but not entirely surprised, if the drones ran Windows also. Sigh.
Wow. Reading more of the wiki article (and linked sources) reveals that the actual towing to port is a contested issue. Noone denies that a /0 error killed the whole ship though.
I mean come on, the menu option was labeled "Re-index databases". I thought it would make it go faster :)
I ended up just making something up and restoring from backup.
I highly, highly doubt that you're right about this. If you happen to be right, you won't be for long. It might be that nobody wants to run Windows, but there is clear motivation, as well as hardware and software technology, to have a full-scale OS on an advanced UAV.
UAVs are very complicated in terms of technology and engineering, but the hardware is simple because it's basically just running control loops on some board.
spoilers: Microsoft has a significant enterprise support organization, which the military is probably already dealing with, and Windows scales farther down than you'd think.
For the only reasons such stupid thing happens: the clueless manager wants the machine to run a modern OS and thinks Windows is the most modern OS out there.
post-downvote edit: I am saying nothing about viruses like Stuxnet, designed as weapons tailored to infect specific systems, for which no OS would be safe, but how brain-dead is it to design critical systems that control airborne weapon systems around an OS that's vulnerable to each and every piece of malware known to man?
I agree I am more familiar with corporate IT disasters where some pointy-haired boss decided Windows was the way to go instead of what would be the optimal choice, but I always expected flight-control software to be built with a great amount of attention to every detail.
Not entirely true. They (can and do) use closer locations:
 "At about 2200, we were reconfiguring some mail files which, with a lot of help from Windows NT, got put in the wrong place during the backup procedure. When we finished restoring the files, the network was down and would not come back up. We worked this for several hours. Finally, jiggling some cables brings just a part of the net back. (that really instills confidence in the stability of your network)." - from http://spaceflight.nasa.gov/station/crew/exp1/exp1shepmarfeb...
Yes, we all know they use Windows on their workstations and it was assumed they had a file/mail server too. Why wouldn't they?
You can use differing definitions for "what the ISS runs" but a mail server is not a control server and its disingenuous to keep insisting it is. Its purposeful misdirection like this that leads Joe Sixpack into thinking the spaceships get viruses a la Independence Day and hacker kiddies can whistle a virus that'll send the ISS crashing into the Earth.
I'm not sure what OS is on the aircraft; I think it's probably a RTOS for flight control and possibly separate processors (running whatever) on a bus for sensor packages. A lot of UAVs have interchangeable sensors, and sometimes a special camera, electronics package, etc. costs more than the airframe, is developed independently, etc.
There are tens (hundreds worldwide?) of UAV platforms in the US military, ranging from tiny little throwable tactical systems up through almost U2-sized "real aircraft, minus a pilot" like Global Hawk.
Woah, what Navy has ships like that? Bowser's navy?
But yah, I know what you're talking about.
Remember: for the military, death is just business as usual.
But to illustrate my main point, 1000 years ago it was impossible for one man to destroy a lot of people. 500 years ago a man Guy Fawkes could use gunpowder to blow up part of a building. SInce then we invented dynamite, planes, rockets... a society in which technology enables a small group of people to wreak havoc on a large group of people must necessarily have more surveillance/intelligence than one where this is not possible, if it is to ensure the security of its citizens. I mean what is to prevent a person from releasing a contagious virus in the NYC subway or something similar, and the effects to show up only days later? I hate to say it but we don't know where we're going with all this technology's potential for bad things.
I thought the whole point of an air gap network is that nothing crosses the gap. Having those ports/devices available is just asking for it.
It will take a while to replace all of these systems with their non-USB configurations.
Given that BlueTooth is probably a no-no as well, how would one build a system these days that needs to support Mice, Joysticks, and Keyboards without using USB?
A literal chicken-wire-style cage that encloses the PC case, with openings too small to pass the head of a USB device.
The cage would be locked to prevent removal of the machine and have a locked backpanel which allows certified staff to install the various usb devices -- with some sort of cage mount inside to loop the cables around, so that a tug from the user wouldn't pull the usb connector from the machine and cause an obnoxious number of calls to 'the guy with the key' to plug a mouse back in.
The cage would neatly deny access to any and every port or drive that may or may not be present in one fell swoop, which would likely simplify OEM contracts and final installation as well as increase security.
You could build the cage physically larger than the general range of whichever flavor(s) of ATX cases are being used, so that the cages could be manufactured in bulk without too much worry about a switch between PC OEMs causing problems.
You could even add a screw-style bracket or two to hold the PC case firm within the cage and put some acoustic foam pads here and there to cut down on any extra noise.
It's easier to enforce a security policy on well-managed PCs which turn off various ports in software (AND DISABLE AUTORUN!), vs. trying to physically disable them, but DoD also had people go around and epoxy USB ports, or at the very least put foil seals on them. There are problems with this, like the usb cd-rom token things, and the attack mouse.
One of the few areas of IT security the DoD gets right is physical protection of infrastructure (relatively). Unfortunately, it's usually basically a strong shell with a gooey inside of software/networks, and with big pipes bringing lots of stuff in and out of the shell constantly. Once something bad gets in, it's kind of too late.
There's a lot of awesome new Intel stuff to make PC hardware potentially more secure -- secure boot, CPU features, memory protection, etc. Combined with the right OS, you could go a long way. Unfortunately a lot of people are also against this technology because it has been used for Digital Rights Management (DRM) anti-piracy, other privacy violations, etc. I was really against it for those reasons, but have come to think it would on the whole be a net win for society to have more secure IT, even if not being able to break it so easily means some people can use computers for bad things.
on the topic of disabling autorun, there was a patch earlier this year to disable autorun on non-shiny media by default in XP and Vista (it's already turned off in 7.)
infections by autorun-abusing malware families dropped by over 60% as everything got patched, and total infection rate dropped by almost half.
When asked why they were told that for government contracts, and for businesses that wanted to make sure that USB devices could not just be used at random.
Its not particularly hard to modify/remove the drivers which make only the usb-disks work on linux. I can't imagine it being much harder on windows either.
All other usb devices could work, but not external storage.
Even better the usb drivers could contain a whitelist of device classes for which drivers can be loaded.
Whoever this is is obviously so far out of the loop and technical domain that everything they say should be taken with a heaping pile of salt.
I don't doubt that a virus exists, but the scope of it is likely wildly overblown. At least, there's no reason to actually think it's some military grade virus that is impossible to eradicate that intercepts all communications with the drones.
Or not, it was just a bug, we'll fix it this one time and pretend it will never happen again. Worse is better, as they say!
And, if there's a bug in your math, you will, of course, have some bug. Garbage in, garbage out. But! You can write your mathematical proof in such a way that the computer checks it for you (for example, static typing is a weak form of this). So all you need to have faith in is that program. Now we've exchanged faith in all programs to faith in one program. Which is an advance. But then we can formulate a proof that that program is correct in its own proof language. We hand-check this proof once, and then from then on the program can check later iterations of itself.
That's the dream, anyways. Some of the machinery to do this is available today, but some not.
Though really the drones probably live in middle east so it'd be more like drones would go berserk in a US military bases in middle east and kill troops or attack innocent foreign civilians drumming up more anti American sentiment
"Americans use drone to assassinate Afgan president"
Edit: This may be a bit of a cynical view, but if you believe I'm actually wrong, I'd like to hear why
Unless you want to make the argument that it's far worse for the ground control systems to be continually reinfected, as they have access to the rest of the air-gapped private network as well.
It's far less worse that the control stations are infected as opposed to the aircraft themselves. It's pretty easy to shift control stations for a UAV. It's not so easy to regain control of a malfunctioning UAV. So, far from irrelevant.
That said, I was merely clarifying a common misinterpretation people were getting from the article.
Well, at least it's easier to axe a box in the room than to shoot down a rogue UAV across the world.
downside of things being "off the record" is this could be someone who oveheard two guys talking about something unrelated in the cafeteria, put "two and two" together, and picked up the phone. and since you can't get an official line ... you just run with the rumors and BS
Based on those facts, is it likely that this is benign? Are there known viruses that fit this pattern? Who's in charge of this project, and what do they say about it? Is it SOP for viruses to be able to completely beat military security for weeks? What are the possible security breaches? Why attack this part of the system?
There's a lot of questions that could and should be asked. Instead, Ars just repeated history and summarized the press release.
2. This is a Wired story republished on Ars, not actual Ars reportage.
I certainly agree that additional commentary from security researchers would be welcome, however.
The statement you quote is impossible to rate as true or false. But here's a fuller quote from the article above:
"But there are also quite a few things about drones that you might not have heard yet. Most Americans are probably unaware, for example, that the US Air Force now trains more UAV operators each year than traditional pilots. [...] As I write this, the US aerospace industry has for all practical purposes ceased research and development work on manned aircraft. "
You mean they paid $40 a license for dd if=/dev/null of=/dev/sda?
(I know BCWipe is a secure delete tool. But a computer virus can't perform forensic analysis of your hard drive.)
Ever since Filipino Jemaah Islamiyah hackers pwned an MQ-9 Reaper and zapped the governor of Palawan with USAF-owned Hellfire missiles, the Americans have gone back to keeping a human finger on the trigger: not because a state governor from a foreign country was killed, but because of who was in the armoured limousine right behind him. (The prospect of having to utter the term collateral damage in the same sentence as President of the United States before a congressional enquiry had focussed a few minds.)
 http://www.amazon.com/Rule-34-Charles-Stross/dp/0441020348/c... (his referral tag, not mine)
Either that or gross incompetence but my money is on the former.
Of course, the source of the infection could be really nefarious. For example, imagine if someone replaced a keyboard with one that delivered a payload (trojan, keylogger, etc) when it is plugged into a computer's USB port? Then reformatting the hard drive does nothing because it will immediately infected again.
It's probably Norton Ghost, and I'd put $5 on the Ghost image being cooked bad.
Didn't I read recently about a real virus discovered in the wild, that could infect the BIOS of certain computers?
The mistake that is made here is to assume that a network can ever be secure. It is like assuming that no one will ever pee in a swimming pool.
Just wait until the cops start using these in the USA for "crowd control" ugh.
What in the...!?!?
"Oh please tell me they didn't connect directly to the internet".
This is the problem with rigid hierarchies. Everyone just passes the problem to someone else until the whole thing blows up. In this case, literally.
I submit this a Black Flag operation story.
Next time think twice before antagonizing your local geek :)