Hacker steals Air Force officers' personal details

MSNBC ^ | August 23, 2005 | Jonathan Krim

[Thumbellina]

This is true, my husband is one that was notified

[MindBender26]

Sounds like a major, very succesdful intel op by some entity willing to commit major resources to the effort.

Why isn't there a two-man rule for entry on this kind of data?!

[montag813]

Remember how in "24" Marwan infiltrated the Air Force. We should assume this is just some pimpled teenager drinking Red Bulls in his Mom's basement.

[MindBender26]

Why hasn't the commander been relieved?

[MindBender26]

>We should assume this is just some pimpled teenager drinking Red Bulls in his Mom's basement.

No, we should assume it is Al Queda and that they have since given/sold data to other terr orgs, the PRC, the Russians and all others.

You prepare and train for the worst contingencies, not the easy ones.

[Mo1]

later read

[Coop]

Why hasn't the commander been relieved?

You want to relieve the commander because no procedures were violated?

[freema]

Yes we should. I think it was here on FR not long ago that I read a report out of South Africa that said Al Qaeda had threatened to email graphic videos to servicemembers and their families.

[vox humana]

Inadequate security procedures could have been the problem. "Government security" is an oxymoron.

[BureaucratusMaximus]

Officials of the Air Force Personnel Center, based at Randolph Air Force Base in San Antonio, said the intrusion occurred sometime in May or June, apparently by someone who used a legitimate user's log-in information to gain access to the system.

Happened in May or June. Story dated today. Man...that just makes me feel all warm and fuzzy.

[Coop]

"Government security" is an oxymoron.

So you propose deactivating the Department of Defense?

[neodad]

My girlfriend is working for a contractor converting paper files to digital at Randolph. Lot of people working on the contract. I just emailed this thread to her to see if she's heard anything.

[CyberAnt]

I find this very interesting. In the FOX series "24" - that's how they got hold of a sophisticated airplane to use against the USA. However, they didn't just steal the pilots identity - they killed him and his family.

Hmmmmm?? Makes you wonder .. what info did this officer have access to .. or what doors would be opened to him without question - because of his ID ..??

[HKMk23]

I should think he might like to relieve the Commander because there were no procedures in place that had to be violated for this to happen.

[MindBender26]

>You want to relieve the commander because no procedures were violated?

I want to relieve the commander because no procedures were in place to prevent this violation?

Failure to have adequate procedures in place is no excuse.

In war, there are no excuses, at any level. Just the victorious and the dead.

[dimk]

From the story the break in was due to insecure password. There are ALOT of different ways how legit id and password could be compromised.

1. Social engineering
2. Sniffer programs on the user PC
3. Brute forcing (it does work, but I doubt this one they should have had something in place to prevent this).

The only reason to fire the person in charge of the security would be if the procedures were at fault. Were the passwords "strong"? Were they changed regularly? Could users access DB from outside machines (sniffer problems). Were all of the user machines properly secured. Did they have trap doors in DB to detect possible intrusion?

Very few people appreciate how grave the security problem is for any business or individual. I can drive down the street for 5 minutes and scan into few dozen private wireless networks and probably 5-6 businesses. These are the people that didn't even bother to setup a proper password.. Any 10 year old with some time spent researching on the web can break into some of the older Windows machines that are being used all over the place.

Unfortunately since they did not detect it fast, finding who did it and how will be practically impossible. Smart cracker will not be back to be found. If its some 12 year old they might get him, if he left traces of some sort.

[dakine]

Career killer for Col and Lt. Col. involved...

[Criminal Number 18F]

Why hasn't the commander been relieved?

Depends on how the break-in happened. If the person whose login was used gave it to someone, the hanging takes place at a lower level. If he did not, then they probably got hold of it the usual way: Windows exploits, spyware/adware, or social engineering.

Military computers are just as vulnerable as anyone else's to spyware, and military administrators are generally less savvy, less committed, and much less well-trained that those in corporations. You get what you pay for, and most military networks are run by one-tour E3s who had eight weeks of instant-expert school starting with the definitions of ROM and RAM and ending with some monkey-see, monkey-do procedures for administering Windows servers.

Then, the PFC finds he or she spends all day not installing the day's security fixes on the server, but cleaning the spyware off the Colonel's laptop and dealing with people whose printer won't print because they stepped on the switch on the power strip.

Then, you have the military's fascination with extreme password security. The password must be more than eight and less than twelve characters and incorporate a bunch of things that make it non-mnemonic, and then they force users to change it every few months. As a result, I could walk you into any office in the Pentagon (yes, including inside the vaults) and we could find somebody's password and login on a post-it on the monitor, and somebody else's in the desk drawer.

Everybody in the "real" computer security world understands that excessively rigid password policies lead to compromises, but the DOD computer world is manned by Junior G Man wannabees who pick this stuff up on TV spy shows.

Basically, DOD computer managers -- not the PFCs, who are bright and trainable, not that the military tries -- but the people at the center of things -- are stupid.

For a while, the whole DOD computer morass was run by a woman, Heather somebody (Anderson?), who had bought phony degrees from "Hamilton University." When she made a complete botch of computers, they put "Dr." Anderson in charge of security clearances and she screwed that up too. But she was one of the more competent DOD computer higher-ups.

One thing that is dead certain is that no one in DOD from PFC to supergrade civilian will lose a job (or a dollar) over this. The only people that will suffer for it are the thousands of Air Force members whose documents were carelessly exposed to exploitation. For months on end.

d.o.l.

Criminal Number 18F