U.S. military computer attacked

MSNBC.com ^ | 3/17/03 | Bob Sullivan

[Bloody Sam Roberts]

March 17 — A computer intruder armed with a secret, particularly effective attack tool recently took control of an Army Web server, MSNBC.com has learned. Both Microsoft and the CERT Coordination Center released hastily-prepared warnings about the vulnerability that led to the attack on Monday. But it was a disturbingly successful attack, experts say, because the intruder found and exploited a flaw that took security researchers completely by surprise.

It’s unknown what Army computer was attacked, how significant a target it was, or what the intruder’s intentions were. But the exploit was sophisticated and well designed, and it was alarmingly successful, said Russ Cooper, security researcher for TruSecure Corp. The company learned of the attack through sources in the U.S. military last Tuesday, Cooper said. “We believe the Army was being targeted,” Cooper said. “We don’t believe anybody else has been targeted by this.”

[Bloody Sam Roberts]

Didn't see this posted when I did a search.

[VRWC_minion]

They'll never know the successful ones.

[Bloody Sam Roberts]

They'll never know the successful ones.

Only when it's too late.

[NewYorker]

Does this explain why there have been almost daily software "updates" from Microsoft recently?

[demlosers]

Wow they took down a Web server. That will show us!
/sarcasm

[Timesink]

If they're using off-the-shelf Windows servers, they get what they deserve. The inherent insecurity of them is the sort of thing you learn on the very first day of IT 101.

[ikka]

Any idiot, military or otherwise, who runs Win2k and IIS on a publicly available server deserves what he gets. The history of MS software is bug-infested, security-unaware code.

[Noslrac]

I am hopefull that we do not place important secrets on servers that are connected to the public internet via firewalls or not.

[smith288]

Im a big fan os ASP and the ability of IIS but their securty risks are for personal use only in my opinion. I have grown to like PHP with Apache. Im a big MS user too. I just know their limitations.

[Indy Pendance]

Isn't there a secure software package that isn't microsoft, that is designed specifically for the government? Like the red phones. Please, let me be dictator of the US for one day.....

[John Jorsett]

Not to worry. The miltary doesn't put classified stuff on computers that can be accessed via public networks. For obvious reasons.

[PianoMan]

Microsoft

That says it all.

[Beck_isright]

And so it begins.....

[eno_]

You are correct. This kind of attack has no military purpose. A "trojan horse" attack that collected information and otherwise caused no disruption is one of the only kinds of attack worth pursuing for national security purposes. Odds are this is just a particularly good cracker.

[FreeTheHostages]

A lot of military systems use Unix or Linux. More secure. The microsoft nuts will come on this thread shortly and say it isn't so, but they will be wrong. :)

[Bloody Sam Roberts]

Odds are this is just a particularly good cracker.

I'm told that people from Georgia aren't fond of that moniker. We need to be more sensitive in our use of such phrases. We wouldn't want to offend anyone.

</sarcasm>

[Indy Pendance]

I know about Unix and Linux, BUT I'M NOT A GEEK OR AN EXPERT ABOUT IT. (just had to say that). But don't you think in the best interest of the US for security, we should develop a totally new system strictly for government applications? Something that's not advertised, ala, phone systems, which only those with security clearance can access?

[Archie Bunker on steroids]

Many closed systems do.....hackable systems generally don't.

[FreeTheHostages]

There are a variety of systems used on governmental facilities and different ways of having access. I imagine that if anyone knows anything specific along the lines of what you suggest (and I don't), they'd be forbidden to discuss it.

[Poohbah]

What you're suggesting is "security through obscurity."

That approach is NOT immune to glaring security holes--witness the number of buffer exploits available on closed-source systems such as Windows NT/2000, SunOS, HP-UX, et cetera.

And limiting access to those having a security clearance may only mean that the attackers will have a better idea of what boxes to attack.

John Walker had a Top Secret Clearance for many years.

The solution for open AND closed-source software is for coders to use well-established techniques to avoid buffer overflows (the most common form of exploit), and system admins to pay attention to what their systems are doing (something that is not always available).