Re: [ISN] Have Crackers Found Military's Achilles Heel? (disa/dem)

From: mea culpa (jerichot_private)
Date: Wed Apr 22 1998 - 19:38:31 PDT

  • Next message: mea culpa: "[ISN] Information Risk Group Joins Underwriters at ..."

    From: Matthew Patton <pattont_private>
    Date: Tue, 21 Apr 1998 21:49:25 -0400
    >the Defense Information
    >Systems Network Equipment Manager (DEM) -- from the Defense Information
    >Systems Agency, the branch of the Defense Department in charge of
    >classified computer networks.
    Well actually DISA is responsible for all telecomm for all military
    services. Kind of like an umbrella organization. They are responsible for
    running SIPRNET, a classified SECRET level global internet for US and NATO
    and other allied contries use among other networks. I'm not surprised in
    the least that they got hacked if that's really the case. I've seen first
    hand how pathetic security awareness is in the military, let alone DISA.
    For all their little tiger teams and huge budgets for 'infowar' they are
    really quite lame. I don't mean to imply they don't do cool stuff but they
    are seriously overrated.
    Actaully there are all sorts of underbelly problems with SIPRNET. STU-III's
    can be had and getting keys isn't all that hard. You could attack anhy of
    the longdistance carriers' networks and sniff the traffic. You could get
    your hands on a KG (Motorolla crypto device). You could get the key
    exchange material. You could find a modem bank at the McClean NOC and
    attack the Cisco remote access terminal servers and defeat them. All sorts
    of avenues are available. You could pose as a construction worker in the
    Pentagon during it's multi-year renovation project and tap any of the
    skillian of fiber optic lines. Pentagon physical security is really
    pathetic. I've been frisked and checked far more thoroughly by silicon
    valley corporations.
    >MOD said that the software is used to remotely monitor and manage military
    >computer-related equipment, including routers, repeaters, switches,
    >military communication networks, and GPS satellites and receivers.
    Yup. Does anyone know if it wasn't WANG or MCI that got compromised? These
    are the 2 main contractors that service the networks and monitor them as
    well as write said software etc. I've been inside the NOC in MD. It
    controls all of DISN which is the phone network for the military. Purhpas
    this is what was taken? I don't think that would be too hard actually.
    > "DISA will be the
    >preeminent provider of information systems delivery support to our
    >warfighters and others as required by the DoD, under all conditions of
    >Peace and War."
    Yeah they have a rather glorified view of themselves don't they.
    >Gene Spafford, director of the computer security research center COAST,
    >said that the intrusion, if true, didn't surprise him.
    >"I don't think anyone who is familiar with government security has ever
    >believed it to be as secure as claimed," Spafford said.
    Right on bud!
    >Spafford added that he was not familiar with DISA systems, but that any
    >distributed system is vulnerable, and that many government systems are
    >configured "for convenience and not need."
    Sure Gene hasn't visited DISA HQ? He's describing them to a T.
    >The group claimed that they stole the software from a Windows NT server at
    >DISA, and that about 30 individuals worldwide presently have copies.
    I knew it! I've been telling people there (granted peons) that their NT
    security just blew chunks. Serves them and their 3 star general right for
    bowing down and worshiping Redmond WA. DISA is one of M$'s favorite
    customers and why not, they buy everything Bill G. sells and not just a few
    copies but a whole bloody site license for hundreds of thousands of
    >"When you have a system that is distributed such that others can
    >manipulate it, you open it up to not just security problems but also
    >erroneous operations," Spafford said. "[You get] people who don't have
    >training and [you get] accidents. It is a standard systems design
    I'll bet somebody had one of those 'dual disk packs' and connected the
    SECRET machine to the internet cause they had the A/B switch set wrong or
    some other stupid foolishness. Heck I see such nonsense in my own office.
    And the networking people look at me strange when I say at least renumber
    the networks so such a gaff makes the machine instantly incommunicado and
    damn obvious to any monitoring equipment.
    And the feds want to regulate and control crypto? HA!
    PS. I used to work for DISA. It was a dark moment. Looks like OSI will be
    paying me another annoying visit...
    "The force of prayer is greater than any possible combination of man-made
    or man-controlled powers, because prayer is man's greatest means of tapping
    into the infinite resources of God."
      - J. Edgar Hoover
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Dimensional Communications (

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:51:16 PDT