Posted on 11/20/2008 4:43:58 PM PST by Sammy67
Edited on 11/20/2008 4:48:23 PM PST by Admin Moderator. [history]
Thursday, November 20, 2008 The Pentagon has suffered from a cyber attack so alarming that it has taken the unprecedented step of banning the use of external hardware devices, such as flash drives and DVD's, FOX News has learned.
The attack came in the form of a global virus or worm that is spreading rapidly throughout a number of military networks.
(Excerpt) Read more at foxnews.com ...
Mailbox storage is so tiny, at least on the network (non-classified) that I’m on, and giant powerpoint presentations such a huge part of work, that USBs were a critical enabler to simply getting work done.
Thanks for the information.
LOL,,,Harley lays on his back (his couch) and watches
Animal Planet!...;0)
Good question but I think you might have directed your question to me by mistake.
FRegards, friend.
Wikipedia - I'll keep looking...
[LOL,,,Harley lays on his back (his couch) and watches Animal Planet!...;0)
Lol, Piper lays on his back and watches....his eyelids...ZZZZ
We do need to replace hardware. Here’s why, and what hardware:
The ASIC’s that run Ethernet interfaces are by and large now made in the PRC.
So let’s say you have an Ethernet chip (either on the mo-bo, or on a NIC card in the PCI). How do you know what logic is in the chip? As long as it performs the Ethernet role properly, how do you know that is ALL that is on that chip?
So here’s how you mount a massive attack that can’t be fixed with software patches:
You create a packet that is forwarded to the NIC/chip that has the correct L2 frame information - let’s say you’ve padded the Ethernet frame with additional information above and beyond the IP payload. The IP stack is going to look at only the IP datagram size, not the whole Ethernet frame. Or let’s say you turn on a particular set of bits in the Ethernet header, which then reads a L2 payload on only specific packets - and this starts the attack sequence.
How much extra stuff could you fit on a chip the size of an Ethernet chip? Oh man... I could have a whole small computer in there. Most of the CPU’s today have much of their die space taken up with FPU’s, cache and memory controllers. If all I wanted was a programmable controller to execute a few instructions to attack the network (or worse, sniff the network and kick interesting packets back out to a capture node), that would not take much logic at all.
How would you know that your Ethernet chipset has this additional logic?
Well, maybe you’d get lucky by fuzzing the Ethernet fields and frames... and maybe you wouldn’t/couldn’t. You could pull the silicon out of the carrier and look at it under a microscope and reverse-engineer it to insure that all that was on the silicon was, in fact, an Ethernet controller.
But the government probably won’t do that. They’ll start pulling equipment off secure networks and insisting on “brand X, revision n.m” specifications for known good Ethernet controllers.
BTW — this idea for an attack has occurred to several of us who are former cisco engineers and employees. We’ve been asking ourselves “why would the Chinese be counterfeiting only interface cards....?” there have been several scandals in DoD purchasing recently where the GSA order has been filled with either counterfeit low-end routers, or a cisco box stuffed with counterfeit line cards.
The solution, ultimately, is to revert to Cold War thinking: for secure comm in the 80’s, I remember that it used to be a requirement for DoD projects that the devices come from certified US companies in US plants, especially CPU’s and any device that created EM emissions. We need a certified secure compute, network and interface hardware platform...
Is it plausible to think that our gung-ho free trade principles, regards Red China, et al, could be used against us?
Harley is a couch potato. He needs to get up off that couch and get a job. ;-)
I made my yorkie get off her back and do something useful! (She chases dust bunnies, now!) ;-)
Big difference between the G4 Power Mac and the G4 iMac. Maybe I just had really bad luck with the two iMacs that I had but then again when mine started acting up it wasn’t hard to find people with the same problem.
bump for later read.
Mine is more like a cat - when I take her outside, she has to sniff every crack and craney - and she even gets up on her hind legs, and checks out the flowers in the flower pot.
Her sister who is here a lot sleeps on her back all the time.
They both love to chase lizards, sniff tarantulas, bark at javelinas and deer. Mine tried to attack a javelina once, and I grabbed her just a foot from the pig. It was terrifying! They are sweet, interesting little creatures, yorkies.
The thing is, we don’t know. We really don’t. Reverse-engineering a chip under a microscope is really time-consuming work for talented chip engineers. There’s lots of chips and lots of revisions levels to the same make/model of chip involved.
How many products could employ the same tactic? Lots. There’s a lot of non-bleeding edge stuff that is now made in China, on PRC-controlled fabs. Just ho-hum little chips in everything from radios, to consumer electronics, to computers, to... insert your widget here.
Is there a way around this if a problem is found? Thankfully, yes. A fast slap-dash fix in highly sensitive hardware can use network controllers that are implemented on FPGA (field programmable gate arrays), and you can get standard network interface logic packages to blow into these chips. When you’ve programmed the chip to do what you want, you can blow off the rest of the gates so it will never do anything else. This is a spendy solution, but it works and you could have a working controller very quickly that you could slap in place of a PCI card with a faulty chipset, and you’d have a known good interface like... this week. Once you have a source of PCI cards and FPGA’s, the replication process is pretty quick. The FPGA’s are spendy, tho, and your typical $40 Ethernet NIC becomes a $150 to $300+ item with the FPGA plus labor costs.
Longer term, all we’d need is for a company to produce a verifiable chipset on a PCI card and start plugging those controllers in, plug the 10[0,0]BaseT cable into the PCI card and turn off any built-in interfaces.
Thank you. Jeez, Loose lips sink ships folks.
We were pretty secure using OpenVMS on DEC Alpha Servers. Mainly because there just weren't too many folks out there trying to hack into that system!
Yea, TEMPEST specs. Heard of it.
Pulling all that back together is going to take a little time since we've spent a lot of time outsourcing technology to our enemies for cheap prices and cheap labor.
Still mitigation can come sooner with a little more thought. Replacing the OS is a prime place to start. Since an OS like Linux is open source, government can verify its security and tailor it for their needs. As for on-board Ethernet, replacement cards (from a reliable source - including the chipsets) can still be plugged in and the on-board chips disabled. Oh and encryption. We should never hear stories about DoD laptops being stolen that have unencrypted data storage, regardless of the department they're assigned to.
Overall though, it will require a retooling of our information equipment procurement process and suppliers.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.