Defending a new domain 1

William J. Lynn III opens his essay in Foreign Affairs, with a confession that “in 2008, the U.S. Department of Defense suffered a significant compromise of its classified military computer networks.”

He explains that this compromise originated from an “infected” flash drive. The drive was “inserted into a U.S. military laptop at a base in the Middle East.”

The flash drive’s malicious computer code, placed there by a foreign intelligence agency, uploaded itself onto a network run by the U.S. Central Command.

That’s what is published in Foreign Affairs: Code on a flash drive “uploaded itself” onto a network… hmm…

Code doesn’t do anything with itself — code is executed by a processor. A flash drive is storage. It doesn’t have a processor. If code moved from a flash drive to a network, the computer into which the flash drive was inserted ran the code, and the code included routines to access a network in some way, from a computer.

How could that have happened?

Clearly, the person who inserted the flash drive had physical access to the machine (on a military base, remember) and the usb port was enabled. The computer was logged on as a user with privileges allowing a drive to be mounted and code on the drive to be executed — code that apparently had some impact.

It was a Windows machine that had autorun enabled. Mr. Lynn doesn’t include this in his confession, but old posts at and elsewhere identify the worm as Agent.btz, based on an earlier worm, Silly.FDC. I don’t know anything about these worms, except that they spread by creating an AUTORUN.INF in the root of a drive, so they could spread among machines with autorun enabled via usb-attached external storage. Do they also spread by accessing a network? I’m not sure about that.

Since Windows is always scanning for new hardware that it can attach to a system, it immediately saw the newly inserted memstick, mounted it as a drive without asking permission, and then because autorun was enabled, it looked around for code pointed to by AUTORUN.INF to run. Finding code, it ran it. The code did things the Windows system did nothing to prevent.

To clarify this with an analogy, if you met a human being in a tavern with the personality of this computer, he would be a sweat-drenched 300-lb sumo wannabe, orange mohawk, skull and spider tattoos, mad with whiskey, roaring for more and  challenging all and sundry to “Fight right now!”

How do you deal with that? Well, if it’s a computer, you just pull the plug.

But the bigger problem, not admitted by Mr. Lynn but easily inferred, is that this out-of-control Windows box was attached to a laissez-les-bon-temps-rouler network: “Come on in, Bud — here’s an IP address, a party hat and a bottle of champagne… Join the netrock! Get it? NetRock… hee hee hee…”

Possibly the network admins were stuck in a military-style “perimeter security” mentality, and didn’t know that network security, today more than ever, is all about what’s *inside* the network, not what’s outside on the internet, trying to get in.

It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary.

Mr. Lynn, you need to do your homework. An AUTORUN.INF file on a flash drive is not invisible.

I’m pretty sure Agent.btz is just a drive jumper, but if the DOD variant was in fact a network worm, the simple truth is that nothing moves across a network “silently”. Every byte on the wire or in the air, or passing through a NIC for that matter, is in plain sight to those watching. But “watching” is the operative word here. When Mr. Lynn writes of a rogue program operating silently, what he’s telling us is, “We weren’t watching.”

It’s that simple.

Just as a secured computer is set up to be suspicious of flash drives and code on them, a network needs to be wary of computers belonging to the network. It’s all about what DOD could label with the jargon phrase, “situational awareness.” But it’s situational awareness of what’s going on inside the wire. Forget techie bad guys in distant lands. Leave them to Hollywood script writers. Watch your own network closely — pull the plug on 300-lb sumo wannabes — and you’ll be fine.

I haven’t yet read more than a few paragraphs of this essay, but based on the first sentences, I predict that Mr. Lynn will wander off down a rabbit trail,  speculating about unknown adversaries, foreign intelligence agencies, Defending a New Domain (the title), etc. — unaware that who is attempting to do something you don’t like on your network is irrelevant to the business of network security, and equally unaware that relevant categories like “inside the network” and “outside the network” aren’t any newer than “on the base” and “off the base.”

My prediction may be wrong. But Mr. Lynn’s intro, with code uploading itself from a flash drive onto a network, suggests that he doesn’t know How It Works, and if he doesn’t know how it works, it will be pure roulette-wheel chance if he says something that makes good sense.


About pmbarry

One of these days a man's gonna walk up to you with a shoe on one foot and a boot on the other, and he's gonna tell you 'bout things you ain't never heard of.
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s