Army Admits To Major Computer Security Flaw

[Jeffrey Walton <noloader () gmail com>]

Surely this can't be true... Is it April 1st? (and thanks to KW for this)

http://www.buzzfeed.com/justinesharrock/exclusive-army-admits-to-major-computer-security-flaw

The United States Army’s Deputy of Cybersecurity Roy Lundgren has
confirmed with BuzzFeed the existence of a major computer security
flaw that enables unauthorized access to users without proper security
clearance. They say the best fix is to make soldiers aware of proper
conduct, instead of fixing the technology itself.

Countless computers, and the soldiers who use them, remain vulnerable
to a simple hack, which can be executed by someone with little or no
security expertise.

The hack allows users with access to shared Army computers to assume
the identities of other personnel, gaining their securities clearances
in the process, and having their activity logged as that user.

In order to log into a shared Army computer you need to insert your
personal Common Access Code military ID. Each card contains a chip
that has the individual soldier’s permissions and security details,
and which helps the military track your activity. Once you remove the
card, you are fully logged out. But the hack overrides that system
during the shut down period.

“There are instances where the log-off process does not immediately
complete upon removal of the CAC. This occurs when the system is
running logoff scripts and shutting down applications,” Lundgren told
BuzzFeed. “The period of time that a system can be accessed following
CAC removal before system logoff completes is normally not sufficient
to gain unauthorized access.”

The U.S. Army has been aware of the flaw for at least two years. One
officer, a lieutenant, reported the flaw in 2011, to his superiors — a
middle-ranking officer, and another in computer communications. He was
made to sign the Army’s version of a nondisclosure agreement. Keep
quiet, or face jail time, he was told. Another soldier, who went to
his superiors and even Congress, got no results.

When asked about the lieutenant’s nondisclosure form, the Army did not comment.

“If an issue is reported to our cybersecurity directorate, we would
normally contact the system owner and ask them for an assessment,” the
Army told BuzzFeed, not commenting on the response to this specific
report. “Often the risk is known and mitigating factors are already
being applied and/or the organization has developed a plan of action
to correct the issue.”

The lieutenant, who spoke to BuzzFeed on condition of anonymity, was
told that there was nothing they could do. It would cost too much to
fix it, they told him. It would require redoing too many contracts.
“The term they used is that it would be ‘impractical’ to try and fix
it,” he says.

“The government and industry must manage numerous risks each day. We
look at each situation and decide if it is a low risk or high risk
situation. Then the decision must be made how the risk will be
managed,” Lundgren says. “Often software and/or hardware solutions are
not available, supportable, or necessary. In the case of many risks,
they are managed via other mitigations such as modifying policy,
procedures, or training.”

The Army contends that instead of improving the security flaw itself,
individual soldiers should make sure they are properly logged off.
“The government and industry must manage numerous risks each day,”
says Lundgren. “Often software and/or hardware solutions are not
available, supportable, or necessary. In the case of many risks, they
are managed via other mitigations such as modifying policy,
procedures, or training.”

In response to the problem they are planning an “Information
Assurance/Cybersecurity Awareness week” in October as a follow-up
measure to their new handbook, released last February, which stresses
the importance of individual responsibilities to protect information.
According to Lundgren, the handbook “augments current policy,
training, and inspection processes and aims to raise awareness and
change culture.”

“Commanders and other leaders are reemphasizing the importance of
protecting our information and systems, and key processes to ensure
this,” says Lundgren. “The Army is also emphasizing that cybersecurity
is the business of all leaders and that we cannot ignore information
assurance/cybersecurity requirements due to a lack of knowledge and/or
convenience.”

Knowledge of the flaw has spread to low-level soldiers who don’t work
in technology, as confirmed with BuzzFeed by more than one source.

Since many military computers have stuffed, cluttered hard drives as
the result of long-term use by large numbers of soldiers, they often
hang while shutting down. When soldiers sharing computers are in a
rush, this identity swap can easily happen by accident.

BuzzFeed sources say it is easy to accomplish on both secure and
non-secure computers. The officer who reported the flaw has tested the
exploit to see if it would allow a user to gain access to SIPRNet, the
classified DoD network from which Chelsea Manning acquired some of the
files she then leaked to the press. It could.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.