Defending a new domain 2

William J. Lynn III, in his Foreign Affairs essay (Defending a New Domain), says that this “previously classified incident was the most significant breach of U.S. military computers ever.”

Given the rather primitive exploit Mr. Lynn is writing about, a better way of saying that would be “…the most significant breach of U.S. military computers yet detected.”

In 2008, DOD was hammered by a variant of a Windows-only worm, Agent.btz, which uses Microsoft’s autorun functionality to spread. It’s a variant of Silly.FDC, which at the time was familiar, globally, to those interested in, or responsible for, network security. The concept of exploiting autorun goes back into the 90s. There was nothing new about the exploit and as far as I can tell from reports, the worm was not remarkably clever.

Agent.btz would be just another pedestrian Windows exploit if it hadn’t landed, probably by chance, in a very large and important network, perfectly suited to its simplistic technique for spreading itself.

Because Agent.btz spreads using Windows autorun, and because the military was disoriented and reeling in late 2008, DOD banned the use of thumb drives (a ban since moderated). The worm first got onto a DOD computer from a thumb drive, according to Mr. Lynn. But in a Windows-heavy network where sysadmins give autorun a blank check, mapped drives are far and away the primary vector for this kind of worm. One thumb drive infects one computer; one network share mapped by 1000 computers infects 1000 computers.

Although it didn’t spread on the network other than through drive mappings, Agent.btz did, apparently, attempt to download binaries from certain domains on the Internet, including a .cx domain (Christmas Island), and it’s possible those binaries had network-aware capabilities. About that, I don’t know. If the DOD security guys didn’t isolate and study a few instances of the worm, they also don’t know.

Mr. Lynn refers to this as a “significant compromise”. Let’s carefully parse out exactly what was significant:

1. The worm itself was NOT significant, but
2. DOD’s vulnerability to a garden variety Windows exploit was significant, and
3. DOD’s hysterical response was significant.

Mr. Lynn credits this “significant compromise” to the work of a foreign intelligence service, which on its face is unlikely. But in fairness to Mr. Lynn, we can assume that he himself honestly believes the statement he made. Perhaps he was shown evidence he found convincing.

If the chaps who gathered that evidence were the same Apple Dumpling Gang responsible for security on DOD networks at the time, the particulars of their evidence would warrant close inspection. The assertion that a foreign intelligence service was responsible is an interesting theory, but in the absence of evidence for or against that theory, I’m skeptical, albeit without a settled opinion. Mr. Lynn does believe the theory.

He was asked a pointed question about this foreign intelligence service connection by writers at Wired:

But what spy service would launch such a lame attack?

“It isn’t the most capable threat, I agree with that,” Lynn replies. “But that kind of makes the point. If you had something of the kind of capability you described and we suffered a compromise as the result of it, it clearly means that we need to have a new strategic approach and that’s what started a couple years ago. I’ve tried to lay out where we’re going going forward.” [Danger Room]

If you boil down the first paragraphs of his essay to the essence, Mr. Lynn is telling us that DOD got womped by a lame attack. It follows that DOD readiness and/or competence in the area of network security is the one issue needing attention.

Is DOD readiness and/or competence the focus of Mr. Lynn’s essay?

Unfortunately, not. Instead he wanders far and wide, across a landscape that becomes increasingly surreal: “the scale of cyberwarfare’s threat to U.S. National Security,” etc, “cyberwarfare is asymmetric,” so forth and so on, Cold War deterrence models don’t apply in cyberspace, “sophisticated intrusions into the networks that control critical civilian infrastructure…”, “…computer induced failures of U.S. power grids…”


Did he forget to take his meds?

I don’t think it’s that. It’s a style of thinking, and it’s a style of thinking not uncommon in government. To understand it, you have realize it has nothing to do with solving real-world problems. Any given “problem” is more analogous to a card drawn from the deck in a game of charades: You want your team to guess the word or phrase. What the phrase *is* doesn’t matter. Put a lamp shade over your head, hold your nose and hop on one foot, jump on a table and strike a muscle man pose… whatever you need to do. The idea is to inspire the right guess.

In government the idea is to get the right soundbites, get attention from the White House or from a key Senator, get funding for a project, get invitations to speak in the coolest venues, etc. The thing you start with is whatever was written on the card you drew. The thing on the card might, in fact, be a problem worth solving, but solving the problem and making headway in the game are two completely different and unrelated things.

Mr. Lynn’s Foreign Affairs essay is all about playing the game. If you read it expecting ideas for solving a problem worth solving — DOD’s backwardness in the area of network security — all you’ll see is a fantastic caricature of the Department of Defense.

But you need to know that the man spinning around on his back, kicking his feet in the air and flailing his arms, simply wants his team to shout out, “Beetle on its back!” He’s not trying to help all beetles or any particular beetle get to its feet. So, with that in mind, you can excuse Mr. Lynn for laying out “a new strategic approach” devoid of any strategy related to a real-world problem.


Posted in Uncategorized | Leave a comment

Defending a new domain 1

William J. Lynn III opens his essay in Foreign Affairs, with a confession that “in 2008, the U.S. Department of Defense suffered a significant compromise of its classified military computer networks.”

He explains that this compromise originated from an “infected” flash drive. The drive was “inserted into a U.S. military laptop at a base in the Middle East.”

The flash drive’s malicious computer code, placed there by a foreign intelligence agency, uploaded itself onto a network run by the U.S. Central Command.

That’s what is published in Foreign Affairs: Code on a flash drive “uploaded itself” onto a network… hmm…

Code doesn’t do anything with itself — code is executed by a processor. A flash drive is storage. It doesn’t have a processor. If code moved from a flash drive to a network, the computer into which the flash drive was inserted ran the code, and the code included routines to access a network in some way, from a computer.

How could that have happened?

Clearly, the person who inserted the flash drive had physical access to the machine (on a military base, remember) and the usb port was enabled. The computer was logged on as a user with privileges allowing a drive to be mounted and code on the drive to be executed — code that apparently had some impact.

It was a Windows machine that had autorun enabled. Mr. Lynn doesn’t include this in his confession, but old posts at and elsewhere identify the worm as Agent.btz, based on an earlier worm, Silly.FDC. I don’t know anything about these worms, except that they spread by creating an AUTORUN.INF in the root of a drive, so they could spread among machines with autorun enabled via usb-attached external storage. Do they also spread by accessing a network? I’m not sure about that.

Since Windows is always scanning for new hardware that it can attach to a system, it immediately saw the newly inserted memstick, mounted it as a drive without asking permission, and then because autorun was enabled, it looked around for code pointed to by AUTORUN.INF to run. Finding code, it ran it. The code did things the Windows system did nothing to prevent.

To clarify this with an analogy, if you met a human being in a tavern with the personality of this computer, he would be a sweat-drenched 300-lb sumo wannabe, orange mohawk, skull and spider tattoos, mad with whiskey, roaring for more and  challenging all and sundry to “Fight right now!”

How do you deal with that? Well, if it’s a computer, you just pull the plug.

But the bigger problem, not admitted by Mr. Lynn but easily inferred, is that this out-of-control Windows box was attached to a laissez-les-bon-temps-rouler network: “Come on in, Bud — here’s an IP address, a party hat and a bottle of champagne… Join the netrock! Get it? NetRock… hee hee hee…”

Possibly the network admins were stuck in a military-style “perimeter security” mentality, and didn’t know that network security, today more than ever, is all about what’s *inside* the network, not what’s outside on the internet, trying to get in.

It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary.

Mr. Lynn, you need to do your homework. An AUTORUN.INF file on a flash drive is not invisible.

I’m pretty sure Agent.btz is just a drive jumper, but if the DOD variant was in fact a network worm, the simple truth is that nothing moves across a network “silently”. Every byte on the wire or in the air, or passing through a NIC for that matter, is in plain sight to those watching. But “watching” is the operative word here. When Mr. Lynn writes of a rogue program operating silently, what he’s telling us is, “We weren’t watching.”

It’s that simple.

Just as a secured computer is set up to be suspicious of flash drives and code on them, a network needs to be wary of computers belonging to the network. It’s all about what DOD could label with the jargon phrase, “situational awareness.” But it’s situational awareness of what’s going on inside the wire. Forget techie bad guys in distant lands. Leave them to Hollywood script writers. Watch your own network closely — pull the plug on 300-lb sumo wannabes — and you’ll be fine.

I haven’t yet read more than a few paragraphs of this essay, but based on the first sentences, I predict that Mr. Lynn will wander off down a rabbit trail,  speculating about unknown adversaries, foreign intelligence agencies, Defending a New Domain (the title), etc. — unaware that who is attempting to do something you don’t like on your network is irrelevant to the business of network security, and equally unaware that relevant categories like “inside the network” and “outside the network” aren’t any newer than “on the base” and “off the base.”

My prediction may be wrong. But Mr. Lynn’s intro, with code uploading itself from a flash drive onto a network, suggests that he doesn’t know How It Works, and if he doesn’t know how it works, it will be pure roulette-wheel chance if he says something that makes good sense.


Posted in Uncategorized | Leave a comment

A disturber of traffic…

Go ’round by the Oombay Passage! Quit streaking up my water! –Rudyard Kipling


Posted in Uncategorized | Leave a comment