[ISN] Apples For The Army

From: InfoSec News (alerts@private)
Date: Mon Dec 24 2007 - 03:18:22 PST


http://www.forbes.com/home/technology/2007/12/20/apple-army-hackers-tech-security-cx_ag_1221army.html

By Andy Greenberg 
Forbes.com
12.21.07

Given Apple's marketing toward the young and the trendy, you wouldn't 
expect the U.S. Army to be much of a customer. Lieutenant Colonel C.J. 
Wallington is hoping hackers won't expect it either.

Wallington, a division chief in the Army's office of enterprise 
information systems, says the military is quietly working to integrate 
Macintosh computers into its systems to make them harder to hack. That's 
because fewer attacks have been designed to infiltrate Mac computers, 
and adding more Macs to the military's computer mix makes it tougher to 
destabilize a group of military computers with a single attack, 
Wallington says.

This past year was a particularly tough one for military cybersecurity. 
Cyberspies infiltrated a Pentagon computer system in June and stole 
unknown quantities of e-mail data, according to a September report by 
the Financial Times. Later in September, industry sources told 
Forbes.com that major military contractors, including Boeing, Lockheed 
Martin, Northrop Grumman and Raytheon had also been hacked.

The Army's push to use Macs to help protect its computing corps got its 
start in August 2005, when General Steve Boutelle, the Army's chief 
information officer, gave a speech calling for more diversity in the 
Army's computer vendors. He argued the approach would both increase 
competition among military contractors and strengthen its IT defenses.

Apple computers still satisfy only a tiny portion of the military's 
voracious demand for computers. By Wallington's estimate, around 20,000 
of the Army's 700,000 or so desktops and servers are Apple-made. He 
estimates that about a thousand Macs enter the Army's ranks during each 
of its bi-annual hardware buying periods.

Military procurement has long been driven by cost and availability of 
additional software--two measures where Macintosh computers have 
typically come up short against Windows-based PCs. Then there have been 
subtle but important barriers: For instance, Macintosh computers have 
long been incompatible with a security keycard-reading system known as 
Common Access Cards system, or CAC, which is heavily used by the 
military.

The Army's Apple program, created after Boutelle's 2005 address, is 
working to change that. As early as February 2008, the Army is planning 
to introduce software, developed by Arlington, Texas-based Thursby 
Software, that will also enable Mac desktops and laptops to use CAC 
systems--a change that should make it easier to get Macs into the 
service.

Though Apple machines are still pricier than their Windows counterparts, 
the added security they offer might be worth the cost, says Wallington. 
He points out that Apple's X Serve servers, which are gradually becoming 
more commonplace in Army data centers, are proving their mettle. "Those 
are some of the most attacked computers there are. But the attacks used 
against them are designed for Windows-based machines, so they shrug them 
off," he says.

Apple, which declined to comment, has long argued its hardware is less 
hackable than comparable PCs. Jonathan Broskey, a former Apple employee 
who now heads the Army's Apple program, argues that the Unix core at the 
center of the Mac OS operating system makes it easier to lock down a Mac 
than a Windows platform.

And Apple's smaller market share has long meant that it didn't attract 
cybercriminals hoping to wreck the most havoc possible. "If you look at 
the numbers, you see that malicious software for Macs is very limited," 
he says. "We used to sell Apples by saying they don't get viruses."

Of course, cyberspooks may be honing their Mac-attacking skills, too. An 
end-of-year report by Finnish software security company F-Secure 
highlights the growing number of hackers targeting Apple systems with 
malicious software, some of which could allow cybercriminals to steal 
security passwords. In the past two years, until this October, F-Secure 
found only a small handful of malicious programs targeting Macs. In the 
past two months, the company has found more than a hundred specimens of 
Mac-targeted malicious code.

Charlie Miller, a software researcher with Independent Security 
Evaluators, worries that the Army's diversification plan isn't enough to 
thwart the bad guys. He sees a two-platform system as a "weakest link" 
scenario, in which a determined cyber-intruder will seek out the more 
vulnerable of the two targets. "In the story of the three little pigs, 
did diversifying their defenses help? Not for the pig in the straw 
house," he says.

The marketing pitch that Apples are inherently more secure than PCs is 
also largely a myth, contends Miller, who gained notoriety for remotely 
hacking the iPhone last August. He points to data gathered by software 
security firm Secunia, which showed that Apple had to patch nearly five 
times as many security flaws in its software over the past year as 
Microsoft had to patch in Windows. Apple's Quicktime player alone, he 
says, was patched 34 times. "I love my Macs, but in terms of security, 
they're behind the curve, compared to Windows," Miller warns.

But the Army's Jonathan Broskey stands by his claims of Apple's 
security: He says the high number of patches to Apple software is a good 
sign--evidence of the large community of developers actively working to 
tighten Unix programs and eliminate bugs. Nonetheless, like any 
responsible IT department, he says the Army's Apple program will closely 
monitor security updates to Mac-specific programs. "The Army's no 
different from any corporation," he says.

Still, relative to corporate cybersecurity, Lieutenant Colonel 
Wallington points out, the stakes are much higher. A leaked deployment 
order, for instance, might reveal the path of a supply truck and the 
points where it could be sabotaged, he says.

"This is information that affects the lives of soldiers and the 
civilians we're trying protect," Broskey adds. "It has to be 
safeguarded."


__________________________________________________________________      
Visit InfoSec News
http://www.infosecnews.org/



This archive was generated by hypermail 2.1.3 : Mon Dec 24 2007 - 03:36:48 PST