Unfortunately this is not a new revelation or disclosure.
Going back to 2009 there was an engagement that used a battle command system.
The opposing force in the exercise found the contractor, downloaded the user and training materials from a web and FTP site, exposed...
1/
Going back to 2009 there was an engagement that used a battle command system.
The opposing force in the exercise found the contractor, downloaded the user and training materials from a web and FTP site, exposed...
1/
to the public Internet, and found by scanning the IP range of the sub-contractor who did the work.
Then, they just logged in as privileged users to all the battle systems. You would think that would have been game over (it was a very simple default password).
2/
Then, they just logged in as privileged users to all the battle systems. You would think that would have been game over (it was a very simple default password).
2/
However, the defenders claimed foul (?!?).
While the OpFor (opposing force) was frustrated, they said ‘fine’.
They proceeded to essentially fuzz the input and found numerous ways to crash the system. Some of these were probably exploitable, but for the exercise, ...
3/
While the OpFor (opposing force) was frustrated, they said ‘fine’.
They proceeded to essentially fuzz the input and found numerous ways to crash the system. Some of these were probably exploitable, but for the exercise, ...
3/
and more importantly for Title-10 type engagements disruption (with attribution no less) can be more desireable than silent compromise.
The engagement continued and promptly the OpFor crippled everyone by crashing the systems.
4/
The engagement continued and promptly the OpFor crippled everyone by crashing the systems.
4/
The ‘red team’ was then dismissed because everyone else needed to get ‘realistic’ training out of the exercise.
The bad news is that this happens, and there are a lot of systems that didn’t take ‘cyber’ hardening into account for risk models in development/engineering.
5/
The bad news is that this happens, and there are a lot of systems that didn’t take ‘cyber’ hardening into account for risk models in development/engineering.
5/
The good news is that this can be addressed in the:
* short term via certain stop gap measures
* medium term via minimization of types of accessibility to input (phys, network, em, ...)
* long term via quantified measurements/transparency of hygiene in contractor deliverables.
* short term via certain stop gap measures
* medium term via minimization of types of accessibility to input (phys, network, em, ...)
* long term via quantified measurements/transparency of hygiene in contractor deliverables.
To be fair contractors weren’t/aren’t given instructions or guidelines to build systems in hardened fashions against types of attacks that practitioners in the infosec field consider basic.
Similarly program managers were/are not generally aware of the exposure.
Addressable.
Similarly program managers were/are not generally aware of the exposure.
Addressable.
Colophon: Such disruption and ‘effect’ should be expected in any actual engagement with an adversary possessing modest capabilities, coordination, and military strategy.
