Saturday, February 20, 2016

A tale of idiots and red tape

Several people have emailed me privately to tell me how on target I was with the previous blog post.  Many have also publicly (and not so publicly) told me how very wrong I am about how Cyber Command (and their best bed buddy NSA) operate.  Most examples of idiocracy there are classified and can't be blogged about, but to illustrate how truly bad the problems are, let me share an unclassified story of idiots and red tape.

Cyber Command has all the red tape any infosec professional could ever want
A senior network exploitation operator noticed one day that the organization had deployed a large number of devices on an unclassified network.  He said to himself:
Wow - I know our targets frequently misconfigure these devices and leave default services enabled.  I wonder if our contract administrators staffed by the lowest bidder have done this too?
The operator decided to check, but realized the pen testing a DoD network without authorization could be a criminal offense.  He's a smart guy so he didn't penetration test anything.  He simply walked up to the device and started typing at the keypad.  Just be looking at options on the on-screen display, he confirmed that default services (including an incredibly insecure embedded HTTP server) were enabled.

The operator then emailed IT to let them know.  IT first said that the entire system was configured securely and he was wrong.  HTTP services were in fact disabled they said.  So he opened up a web browser on his system and navigated to the web page (which did not require authentication).  The web server would have accepted default credentials that would have given him additional access.  The operator knew the default passwords since he used them to regularly hack others (with authorization).  But he stopped short of logging in, knowing that this would be a big deal.  IT summarily ignored him and simply stopped answering emails.

When IT ignored him, he emailed security.  Rather than security contacting IT to address the vulnerabilities in Internet connected DoD systems, they opened up an investigation into the operator's actions.  Security noted in their report that connecting to a web server officially involves making a TCP connection, which is sort of technically a port scan.  And port scanning sounds a lot like hacking.  Oh yeah, you can see where this is going.  This senior CNE operator who hacks other nation-states for a living found a glaring vulnerability Cyber Command/NSA's own infrastructure.  They should have given this guy a medal.

But yeah, he didn't get a medal.  Instead he got a reprimand.  A written f*cking reprimand.  And that was the beginning of the end for him.  He started looking for a new job and no longer works for them.  He was one of the best operators I've ever had the pleasure of working with.

So go ahead and tell me all about how Cyber Command rewards creativity, problem solving and outside the box thinking. But meet me in a SCIF to do it.  I've got a hundred more stories like this that I can't share in open forum.  This didn't happen a decade ago, it was less than two years ago.  Are things getting better? Maybe. But according to the people I'm still talking to they are changing at a glacial pace (if at all).

Unfortunately, our adversaries are adapting to changing realities faster than Cyber Command.  Reminds me of the Polish Cavalry brigades meeting Hitler's tanks on the WWII battlefields with horses.  Sure, the cavalry had a rich history of tradition and military discipline.  But none of that mattered, because tanks > horses.  So please Cyber Command peeps... keep telling me about how well your traditional kinetic warfare models map to cyber.  I'll just remind you to go feed your horses and keep prepping for that tank battle.
So I've been informed that my public school education has failed me (again) and the Polish Cavalry never charged German tanks, instead killing infantry... My point stands and to reinforce it, I could list any of a number of examples like the Chauchat "machine gun" or the Sherman tank with its inferior gun and armor.  Seriously, thanks for correcting the record on the analogy, though my point about sticking to tradition in spite of evidence that it's the wrong move stands.

7 comments:

  1. Oh man we could write about stories like this all day long ! I have my fare share of similar experiences ! BTW, we met at Gordon Biersch in New Orleans with ICS dude ! ;-)

    ReplyDelete
  2. I get your message, but that metaphor in the last paragraph, about Polish cavalry versus German tanks? Didn't happen: it was a propaganda lie made up by Goebbels. (And broken metaphors don't help.)

    ReplyDelete
    Replies
    1. You are 100% correct. I blame my public school education. I'll fix the metaphor.

      Delete
  3. This comment has been removed by the author.

    ReplyDelete

Note: Only a member of this blog may post a comment.